SSL Pinning: Introduction & Bypass for Android | NII Consulting (2024)

SSL Pinning: Introduction & Bypass for Android

What is SSL Pinning ?

SSL pinning allows the application to only trust the validor pre-defined certificate or Public Key. The application developer uses SSLpinning technique as an additional security layer for application traffic. Asnormally, application trusts custom certificate and allows application tointercept the traffic. But in the SSL Pinning implementation, application doesnot trust custom certificates and does not allow proxy tools to intercept thetraffic.

Why do we need toimplement SSL Pinning ?

SSL Pinning is an additional security layer to prevent MITM attack( Man in the Middle Attack) or sniffing data. To intercept the request, we mostly use a proxy tool. The proxy tool installs its own certificate on the device and application trust that certificate as a valid certificate and allow proxy tool to intercept application traffic.

Ways to Implement SSLPinning :-

1. Certificate Pinning
2. Public Key Pinning

• CertificatePinning :- In certificate pinning , the developer hardcodes some bytecodeof SSL certificate into application code. When the application communicateswith the server, it checks whether the same bytecode is present in acertificate or not. If it is present, the application sends a request to theserver. If the bytecode does not match it will throw an SSL certificate error.This technique prevents an attacker to use his/her own self-signed certificate.
• PublicKey Pinning :- In public key pinning when a customer visits a website, theserver pins (by way of injecting it) its public key in client (customer’s)browser. When the client revisits the same website, the server identifies itspublic key to check the integrity of the connection. This technique also preventsan attacker from using his/her self-signed certificate.

SSL Pinning Bypass :-

SSL Pinning can be bypassed using several ways, if it is notproperly implemented or configured.

Some of SSL Pinning bypass techniques are :-

1. Using automated tools
2. By Reverse engineering ( Modifying Smali code)
3. Hooking

èUsingAutomated tools :- There are multiple open source tools available to bypass SSLPinning. Some of them are SSL Unpinned and Inspeckage.

But in many cases, the application source code is obfuscated,and developers hide the code of SSL pinning in such a way that it becomes verydifficult for the tools or framework to find SSL pinning code. One of thebiggest disadvantages of using automated tools is that most tools require arooted device. So, if application does not work on a rooted device, SSL pinningcannot be bypassed using automated tools.

èBy Reverse engineering(Modifying Smali Code) :- For bypassing SSL Pinning ,the most used attackvector is by performing reverse engineering. It is an easy task to performreverse engineering of android application and see how the application isbuilt. We can use tools like apktool to decompile the application andunderstand the application code. when you decompile the apk there are manydirectories such as smali, assets, lib etc which contains critical files such includingthe SSL pinning code , application logics etc. To bypass SSL pinning, the attackermust find the pinning code and tamper its validation or trust check. After the modification,attacker recompiles the code using apktool andsigns the application with his/her own private key using Jarsigner(private keyis generated using Keytool).

Steps to Reproduce :-

1. Download the application for bypassing SSLPinning.
2. Download apktool ( Apktool is command line tool basically used for decompiling andrecompiling of apk)
3. Now use apktool to decompile the application.
4. apktool d application.apk

• Using above command, application gets decompiled and we get access to all the apk code and directories such as smali, lib, original, unknown, assets, build, res and smali_classes.
• Decompiled code contains smali code (it contains java or Kotlin code). So, modification of code requires understanding of the code.
• Now find the ssl pinning code, mostly ssl pinning code contains functions such as checkservertrust, checkclienttrust(Contains , x509, okhttp3,certificate pinner etc. These codes or functions are basically used to check that issuer certificate or public key byte codes. By understanding the code and modifying the function output accordingly can help in SSL pinning bypass.
• Sometimes, pinning code returns null (return-void), so if we provide the return null value in the start of the function, function will not be able to execute certificate verification code.

For details, please go through the belowimages of SSL Pinning code modification.

Before modification of checkservertrust and checkclienttrust code. ( In this code, the application is checking SSL certificate and throwing an exception in case of the wrong certificate. But the code function is returning null value)

After modification of checkservertrust and checkclienttrust code.( In this code, as functions are returning null value( return-void), so we modified the code and insert the return-void in the initiation of the function.

After modification, recompile the application using apktool.

• Apktool b application(Application directory)

See Also

Is Certificate Pinning Worth it?

Apktool creates directory in the decompile code directory(dist) and in the dist directory new and modified apk is created.

We can use the keytool to generate the private key which can be used to sign the application. As in android application will not be installed if not signed.

keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000

Now sign the modified new apk with the generated private key using Jarsigner.

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore my_application.apk alias_name

In the android device, now delete the old application and install the new modified application and then intercept the traffic using proxy tool.

Hooking

Hooking is the technique used for modification or tampering of the application behaviour at runtime. It can be achieved using Frida tool. Frida is the framework which can be used for dynamic or runtime code modification. In Frida, the code is injected in the application and then modify instruction code using the injected code.

In some cases, android applicationis obfuscated ( In obfuscation, classes of the android application are replacedwith some random alphabets which makes very difficult for the attacker tounderstand the code.)

But it cannot prevent the SSL pinning,as obfuscation only makes code harder to understand. In case of obfuscatedapplication classes, we can try to find the function name or keywords tounderstand the code and bypass SSL pinning. As the code is obfuscated, we canuse string finding tools such as Agentransack to find the keywords and modify the code accordingly.

Prevention of SSLPinning Bypass :-

SSL Pinning Bypass can be prevented using two-way SSLauthentication. Two-way SSL Authentication also known as mutual authenticationbetween client and server. The application acts as SSL client and send itscertificate to the SSL server to validate after SSL server validates itself tothe SSL client.

Mostly implementation of Two-way SSL is complex, so if wecan prevent the modification or reverse engineering of android application thatwould basically avoid the SSL Pinning bypass using reverse engineering orHooking method.

Tools which can beused for Bypassing SSL Pinning :-

• Apktool ( Command line tool which can be used for compiling and decompiling of the android application)
• Keytool ( Command line tool used for private key generation)
• Jarsigner (Command line tool used for signing the application)
• Agent ransack (GUI tool which can be used for finding the string or function)
• Easy Apktool (GUI tool which can be used for compiling, decompiling as well signing of the application)
• String finder (GUI tool which can be used for finding the string or function)

For more blogs click here