Android Cert Pinning Bypass

Android, Mobile

Prerequisite

  • android needs to be rooted
  • python3

Download Frida

  • install in your Windows, linux or mac , see tuto here

    pip install frida-tools

  • Download Frida-server package for android here

  • put it in android

    1
    2
    3
    4
    5
    $ adb push frida-server /data/local/tmp/ 
    $ adb shell 
    android$> su 
    android#> chmod 755 /data/local/tmp/frida-server 
    android#> /data/local/tmp/frida-server &

  • connect from PC

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    C:\users\kth> frida-ps -U 
    PID  Name 
    ----  -------------------------------------------------- 
    1897  . 
    1722  .esfm 
     252  6620_launcher 
     313  adbd 
     995  android.process.acore 
     792  android.process.media 
     312  bmc156d 
     253  ccci_fsd 
     254  ccci_mdinit  
    3658  com.android.chrome 
    3723  com.android.chrome:privileged_process0 
    3692  com.android.chrome:sandboxed_process0 
    1059  com.android.phone 
    3269  com.android.providers.calendar 
    3811  com.android.providers.partnerbookmarks 
     774  com.android.systemui 
    1625  com.android.vending 
    2961  com.android.vending:instant_app_installer 
    1870  com.dewmobile.kuaiya.play 
    1508  com.estrongs.android.pop 
    1559  com.estrongs.android.pop:ka 
    3404  com.google.android.deskclock 
    3599  com.google.android.gm 
    1349  com.google.android.gms

Android SSL Pinning

Certificate pinning is a security mechanism which allows HTTPS websites and applications using HTTPS services to resist impersonation by attackers using mis-issued or otherwise fraudulent certificates.

With certificate pinning it is possible to mitigate or severely reduce the effectiveness of MiTM attacks enabled by spoofing a back-end server’s SSL certificate.

Idea to Bypass

  • load custom CA
  • create own keystore contain custom trust CA

  • create trustmanager

  • push custom CA to mobile

    $ adb push burpca-cert-der.crt /data/local/tmp/cert-der.crt

  • start frida with javascript API

    1
    2
    3
    4
    5
    6
    7
    8
    9
    :\Users\kth> frida -U -f com.test.mobile -l cert-unpinn-frida.js --no-pause
    [+] Cert Pinning Bypass/Re-Pinning
    [+] Loading our CA... 
    [o] Our CA Info: CN=PortSwigger CA, OU=PortSwigger CA, O=PortSwigger, L=PortSwigger, ST=PortSwigger,    C=PortSwigger
    [+] Creating a KeyStore for our CA... 
    [+] Creating a TrustManager that trusts the CA in our KeyStore...
    [+] Our TrustManager is ready... 
    [+] Hijacking SSLContext methods now...
    [-] Waiting for the app to invoke SSLContext.init()...

Here is the Code