5

Can you do anything other than patching apps' compiled-code/cert-files (which is app-specific, requires manual analysis and patching + super-user/root) to intercept TLS traffic of apps that use certificate pinning?

The answer seems to be No, from mitmproxy's docs:

Certificate Pinning

Some applications employ Certificate Pinning to prevent man-in-the-middle attacks. This means that mitmproxy and mitmdump’s certificates will not be accepted by these applications without modifying them. It is recommended to use the passthrough feature in order to prevent mitmproxy and mitmdump from intercepting traffic to these specific domains. If you want to intercept the pinned connections, you need to patch the application manually. For Android and (jailbroken) iOS devices, various tools exist to accomplish this.

I understand that certificate pinning is part of the trust model of these apps, at the same time as a user, I would like to sniff/intercept their traffic for analysis, locally on my device, in order to make statistics/insights on my habits and behavior, from events such as emails sent (using ProtonMail), messages sent (using Signal/WhatsApp) or any event that can be deduced from the analysis of traffic (using something similar-to/as-powerful-as mitmproxy's Python scripting API or Scapy's filters).

Wis
  • 153
  • 1
  • 4

2 Answers2

9

No, there is no way to bypass certificate pinning without application patching or using debugger (tracer). The reason is that, in simple words, certificate pinning is when a CA certificate is hardcoded into application. This application sets the certificate as the only root of trust to establish a network connection. On Android it's carried out via TrustManager implementation.

You have the following options:

  1. Reverse engineer, modify and re-pack application.
  2. Attach Frida to unpin certificate (e.g. there is a code snippet for Android).
  3. Attach Frida to read traffic right before encryption.

You don't need root (superuser, jailbreak) using a Frida Gadget which should be injected into application before installation. E.g. see how to use Frida without root on Android.

Pay attention, that in some cases applications don't have a real certificate pinning. For instance, there is a known issue that Android applications by default have a trust to ONLY system certificate storage, therefore user's custom MITM certificate just doesn't work there by default.

Alexander Fadeev
  • 1,244
  • 4
  • 10
0

If you are asking if there is a way to decrypt TLS data without rooting your device or patching the executable, the answer will probably be no.

But if you are asking if there are some other ways you can decrypt TLS data without having to bypass TLS certificate pinning.

For example, this is a little tool I've made for decrypting TLS data on iOS devices which utilizes the Frida framework to inject itself and hook the function that handles TLS encryption so that you can print out the plain buffers before they are being encrypted.

https://github.com/gkpln3/ios_ssl_sniffer

gkpln3
  • 123
  • 4
  • 2
    There * **is** * a *general* way to sniff/decrypt TLS traffic without root or patching programs (programs that are not certificate pinning or ignoring the device's manually installed root certificates): the way mitmproxy does it + Anti-Virus software such as Avast and Kaspersky do it (or used to) on PC, now with IOS' limitations, something like mitmproxy running locally on device would need to be implemented with NetworkExtension like any other VPN or Proxy app on the App Store. With tools such as Frida you can do anything, it requires root and being hooked to a second system. – Wis May 13 '20 at 19:16
  • @Wis, You are right, I meant for applications that do use certificate pinning. – gkpln3 May 16 '20 at 21:09