5

I am working on analyzing Android applications from my phone using MITM Proxy. My Android phone version is 4.4.2, SDK is 19 and its rooted. I have performed all WiFi configurations required for MITM. Using manual proxy with the Proxy hostname and gateway set as IP address of host machine and port as 8080. When I run proxy, I can see traffic and clientconnect message logs which represent that proxy is working just fine. The problem occurs when I analyze the applications like Whatsapp, Facebook etc or open Google browser on my phone. The messages I send through WhatsApp don't get delivered to the recipient during the session. The account details inserted in Facebook form don't get forwarded and display Check your internet connection settings message. The only service that works over the internet is the email. Any attachments sent over email get delivered successfully to the receivers. All other applications fail to work due to connectivity issue.

When I reviewed the proxy communication logs being created for the mitm captured traffic, I could see the following message:

Client Handshake failed. The client may not trust the proxy's certificate for media-sin6-2.cdn.whatsapp.net.

Similar message was noticed in logs for Skype application. This indicates an issue with certificate pinning where the application might not be trusting the certificate provided by proxy. Interestingly, I have CA certificate for mitm installed in my phone added as trusted credential along with JustTrustMe application installed in Xposed Framework to kill SSL certificate pinning.

After going through a number of blogs, articles and tutorials on bypassing certificate pinning, I installed SSL-unpinning 2.0 module for Xposed framework. I tried unpinning both WhatsApp and Skype one by one but it didn't work either. I don't need to patch codes or decompile apk source code. Please guide how can I make my analysis work through bypassing the SSL certificate pinning without making use of BurpSuite/Frida tools.

The sources I reviewed before posting are the following:

https://kov4l3nko.github.io/blog/2018-01-21-justtrustme-android-ssl-pinning/

https://blog.dewhurstsecurity.com/2015/11/10/mobile-security-certificate-pining.html

https://stackoverflow.com/questions/61710190/mitmproxy-not-showing-traffic-for-android-app?rq=1

https://stackoverflow.com/questions/57993712/no-internet-connection-in-android-after-using-mitmproxy

https://www.welivesecurity.com/2016/09/08/avoid-certificate-pinning-latest-versions-android/

Android SSL trust killer mitigation?

Is there no way to bypass certificate pinning without patching apps?

Disable or bypass SSL Pinning/Certificate Pinning on Android 6.0.1

user399
  • 51
  • 3
  • SSLUnpinning 2.0 is [unpinning WhatsApp](https://imgur.com/OSSXPZk) fine in LineageOS 14.1 (android 7.1.2). After phone number registration, WhatsApp switches to XMPP protected by noise pipes (not TLS). XMPP won't pass through http proxy. You need raw TCP proxy to MITM WhatsApp. – defalt Jan 06 '21 at 15:47
  • @defalt: I am using a python code to analyze apps in which I tried analyzing Skype, Instagram and Viber other than WhatsApp but that doesn't work too. The SSL Unpinning app marks "unpinned" against the app I select but even the browser doesn't load anything. Just the email functionality works in the environment. I get "Client handshake failed. The client may not trust certificate...". For this I have tried reinstalling CA certificate. Even after that the situation hasn't changed. – user399 Jan 07 '21 at 07:55
  • @defalt: When I try running mitmproxy separately without python code on CLI, it enables browser, skype and Youtube to work but whatsapp, viber don't work in that session too. I am able to see traffic for some applications in the log. But I get handshake failed notification for my python code analysis. Some of the flows get captured but that don't contain activities performed in the applications tested during the session. Keeping in mind, I have Xposed framework with JustTrustMe+SSLUNpinning installed. Android 4.4.2 rooted phone. – user399 Jan 07 '21 at 07:58
  • WhatsApp worked fine with my own custom certificate. Maybe it's the android version. Try on android 7+. – defalt Jan 07 '21 at 10:21
  • @defalt How did you create a custom certificate? Can you please specify? – user399 Jan 07 '21 at 16:47
  • I use Burpsuite's certificate. – defalt Jan 07 '21 at 18:36
  • @defalt Is it possible without using Burpsuite? – user399 Jan 08 '21 at 14:31
  • You can use any way you want to generate certificate. I export one from burpsuite. You can use fiddler. – defalt Jan 08 '21 at 15:18
  • @defalt Did you use Burpsuite for intercepting traffic too? Or just used its certificate? – user399 Jan 08 '21 at 16:49
  • Only its certificate. Burpsuite is http proxy which cannot intercept XMPP traffic of WhatsApp. WhatsApp doesn't use http & TLS. If you want to discuss further, notify me in [chat](https://chat.stackexchange.com/rooms/117414/android-verified-boot). – defalt Jan 08 '21 at 17:25

0 Answers0