5

Previously I have been able to bypass SSL Pinning by using the program JustTrustMe with the Xposed framework for nearly every app.

https://github.com/Fuzion24/JustTrustMe

However it has started to fail on more and more apps recently. The more I read it seems like I have to disassemble every app and patch them one by one.

Is there some application that I have missed that can disable SSL Pinning by hooking onto system commands?

Programs that I have tried:

https://github.com/Fuzion24/JustTrustMe

https://github.com/iSECPartners/Android-SSL-TrustKiller

https://github.com/ac-pm/SSLUnpinning_Xposed

If there is no such program, what is the best way to go?

What I have identified so far:

  1. Try to disassemble the APK and search for keywords such as "X509TrustManager", "cert", "pinning" etc and modify it accordingly. Like this article: http://blog.dewhurstsecurity.com/2015/11/10/mobile-security-certificate-pining.html

  2. However it seems that at least one of the apps that I have trouble proxying (Facebook Messenger) is using SSL Pinning in the native layer as well as the Java layer. This is probably the case in many other applications as well since they have worked before with JustTrustMe but has now stopped working. https://serializethoughts.com/2016/08/18/bypassing-ssl-pinning-in-android-applications/

Ogglas
  • 677
  • 4
  • 12
  • 26
  • 1
    You'll also notice that the author of SSLUnpinning_Xposed is moving his project pieces to -- https://github.com/ac-pm/Inspeckage – atdre Feb 11 '17 at 22:50
  • facebook messenger app uses sslpinning AND reverse proxy , it starts a local proxy and make all request and response trought it – Hichem Apr 01 '20 at 20:32

1 Answers1

8

Did you go through these procedures to get JustTrustMe to bypass the cert pinning -- http://www.welivesecurity.com/2016/09/08/avoid-certificate-pinning-latest-versions-android/ -- ?

If you are just looking to intercept WebViews, then the Frida extension, appmon (which allows for API interception), using these techniques will work well -- https://youtu.be/QjLRaIB-97E

If you do end up having to rewrite some code, try to keep it really simple. I found this technique which doesn't mess with the existing cert-pinning code and instead just adds the HTTP traffic to the logging system -- https://blog.securityevaluators.com/how-to-view-tls-traffic-in-androids-logs-6a42ca7a6e55

For a series on repackaging Android apps, be sure to check out:

Community
  • 1
atdre
  • 18,885
  • 6
  • 58
  • 107
  • For Android 7 and higher, check out -- https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/november/bypassing-androids-network-security-configuration/ – atdre Nov 03 '17 at 22:32
  • https://warroom.securestate.com/android-7-intercepting-app-traffic/ – atdre Jan 08 '18 at 20:31
  • https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/ – atdre Jan 17 '18 at 16:09
  • https://blog.netspi.com/four-ways-to-bypass-ios-ssl-verification-and-certificate-pinning/ – atdre Sep 25 '18 at 18:48
  • https://vavkamil.cz/2019/09/15/how-to-bypass-android-certificate-pinning-and-intercept-ssl-traffic/ – atdre Sep 27 '19 at 01:48