Certificate Pinning is an extra layer of security to achieve protection against man-in-the-middle. It ensures only certified Certificate Authorities (CA) can sign certificates for your domain, and not any CA in your browser store.
Application developers implement Certificate pinning to avoid reverse engineering, it allows developers to specify which certificate the application is allowed to trust. Instead of relying on the certificate store.
By searching for strings like “checkClientTrusted” or “checkServerTrusted“, it would show you a piece of code with pinning.
If the code isn’t obfuscated, then we will modify the code to get rid of the pinning, recompile, and sign with the APKTOOL.
Also, you can do a static analysis with a Security framework like MOBSF, if you find “Certificate/Key Files Hard-coded inside the App” or “Hardcoded Keystore Found” then it has SSL pinning.
Also Read Complete Android penetration Testing Checklist
In order to disable the promise, we want to decompile the application file and find the method bound for pinning control and remove the check. The end goal is to have the client accept your own SSL certificate as valid.
We are taking an Android application in our scenario, if you have the device rooted then you can use Xposed Framework modules available to disable SSL Pinning. It is a very simple and straightforward method.
But the best way is to conduct a manual review by disassembling the apk you will need to locate where within the small source code the certificate pinning checks are done.
$ apktool -d test.apk
Searching the small code for keywords such as “X509TrustManager”, “cert”, “pinning”, to find where the certificate pinning login is keywords such as “X509TrustManager”, “cert”, “pinning”, etc, to find where the certificate pinning login is performed.
Once you have finished modifying the code need to compile and resign the app with a developer certificate. The code signing certificate here provides integrity and ensures the application does not tamper.
$ apktool b test/ -o example.modified.apk
After this, the app needs to just be reinstalled on the device and tested. Once installed the app still, works, as supposed, however, is currently prone to a man-in-the-middle attack as a result of the pinned certificate being bypassed.
Bypassing certificate pinning either of those ways permits you to effectively conduct a man-in-the-middle attack on the apps that are shielded with HTTPS and SSL having the ability to intercept session tokens and even seeing usernames and passwords in plain text in a tool like a burp suite or fiddler.
The certificate is tended to expire as per the CAB forum CA certificates will not be issued for a maximum period of 3 years. So you should plan an app update with an updated certificate.
We should implement obfuscation methods to avoid our source code to be decompiled. You can submit an app for pentesting companies for source code analysis.
Hackers prefer phishing as it exploits human vulnerabilities rather than technical flaws which make it a highly effective and low-cost…
A very important message from the Norwegian National Cyber Security Centre (NCSC) says that Secure Socket Layer/Transport Layer Security (SSL/TLS)…
Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices, which makes it an attractive target…
ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine, to target infected systems, which extracts…
Santander has confirmed that there was a major data breach that affected its workers and customers in Spain, Uruguay, and…
The U.S. government has offered a prize of up to $5 million for information that leads to the arrest and…