Certificate Pinning is an extra layer of security to achieve protection against man-in-the-middle. It ensures only certified Certificate Authorities (CA) can sign certificates for your domain, and not any CA in your browser store.
Application developers implement Certificate pinning to avoid reverse engineering, it allows developers to specify which certificate the application allowed to trust. Instead of relying on the certificate store.
Analyzing Source Code for SSL Pinning
By searching for strings like “checkClientTrusted” or “checkServerTrusted“, it would show you a piece of code with pinning.
If the code isn’t obfuscated, then we will modify the code to get rid of the pinning, recompile and sign with the APKTOOL.
Also, you can do a static analysis with a Security framework like MOBSF, if you find “Certificate/Key Files Hard-coded inside the App” or “Hardcoded Keystore Found” then it has SSL pinning.
Bypass SSL Pinning
In order to disable the promise, we want to decompile the application file and find the method bound for pinning control and remove the check. The end goal is to have the client accept your own SSL certificate as valid.
We are taking an android application in our scenario, if you have the device rooted then you can use Xposed Framework modules available to disable SSL Pinning. It is a very simple and straightforward method.
But the best way is to conduct a manual review by disassembling the apk you will need to locate where within the small source code the certificate pinning checks are done.
$ apktool -d test.apk
Searching the small code for keywords such as “X509TrustManager”, “cert”, “pinning”, to find where the certificate pinning login is keywords such as “X509TrustManager”, “cert”, “pinning”, etc, to find where the certificate pinning login is performed.
Once you have finished modifying the code need to compile and resign the app with a developer certificate. The code signing certificate here provides the integrity and ensures the application does not tamper.
$ apktool b test/ -o example.modified.apk
After this, the app needs to just be reinstalled on the device and tested against. Once installed the app still, works, as supposed, however, is currently prone to a man in the middle attack as a result of the pinned certificate being bypassed.
Bypassing certificate pinning either of those ways permits you to effectively conduct a man in the middle attack on the apps that shielded with HTTPS and SSL having the ability to intercept session tokens and even seeing usernames and passwords in plain text in a tool like a burp suite or fiddler.
Mitigation – Bypass SSL
The certificate is tended to expire as per CAB forum CA certificates will not be issued with the maximum period of 3 years. So you should plan an app update with an updated certificate.
We should implement obfuscation methods to avoid our source code to be decompiled. You can submit an app for pentesting companies for source code analysis.