Bypassing and Disabling SSL Pinning on Android to Perform Man-in-the-Middle Attack

Certificate Pinning is an extra layer of security to achieve protection against man-in-the-middle. It ensures only certified Certificate Authorities (CA) can sign certificates for your domain, and not any CA in your browser store.

Application developers implement Certificate pinning to avoid reverse engineering, it allows developers to specify which certificate the application is allowed to trust. Instead of relying on the certificate store.

Analyzing Source Code for SSL Pinning

By searching for strings like “checkClientTrusted” or “checkServerTrusted“, it would show you a piece of code with pinning.

If the code isn’t obfuscated, then we will modify the code to get rid of the pinning, recompile, and sign with the APKTOOL.

Also, you can do a static analysis with a Security framework like MOBSF, if you find “Certificate/Key Files Hard-coded inside the App” or “Hardcoded Keystore Found” then it has SSL pinning.

Also Read Complete Android penetration Testing Checklist

Bypass SSL Pinning

In order to disable the promise, we want to decompile the application file and find the method bound for pinning control and remove the check. The end goal is to have the client accept your own SSL certificate as valid.

We are taking an Android application in our scenario, if you have the device rooted then you can use Xposed Framework modules available to disable SSL Pinning. It is a very simple and straightforward method.

But the best way is to conduct a manual review by disassembling the apk you will need to locate where within the small source code the certificate pinning checks are done.

$ apktool -d test.apk

Searching the small code for keywords such as “X509TrustManager”, “cert”, “pinning”, to find where the certificate pinning login is keywords such as “X509TrustManager”, “cert”, “pinning”, etc, to find where the certificate pinning login is performed.

Once you have finished modifying the code need to compile and resign the app with a developer certificate. The code signing certificate here provides integrity and ensures the application does not tamper.

$ apktool b test/ -o example.modified.apk

After this, the app needs to just be reinstalled on the device and tested. Once installed the app still, works, as supposed, however, is currently prone to a man-in-the-middle attack as a result of the pinned certificate being bypassed.

Bypassing certificate pinning either of those ways permits you to effectively conduct a man-in-the-middle attack on the apps that are shielded with HTTPS and SSL having the ability to intercept session tokens and even seeing usernames and passwords in plain text in a tool like a burp suite or fiddler.

Mitigation – Bypass SSL

The certificate is tended to expire as per the CAB forum CA certificates will not be issued for a maximum period of 3 years. So you should plan an app update with an updated certificate.

We should implement obfuscation methods to avoid our source code to be decompiled. You can submit an app for pentesting companies for source code analysis.