Bypass SSL Certificate Pinning in Android

Nowadays many android developers started implementing the SSL Pinning to avoid tampering and in turn making our life difficult.

How to find SSL Pinning is implemented in source code?

By searching for strings like "checkClientTrusted" or "checkServerTrusted", it would show you piece of code with pinning.




If code is not obfuscated, then we can modify the code to remove the pinning, recompile and sign using APKTOOL. This would remove the pinning from application.

But in some scenarios, the source code is obfuscated and you need to pentest the application. In such case we need to bypass the SSL Pinning. Rooted device required in order to perform the below task.

1) Configure the device and auditor laptop on same network. Edit the wifi setting of device to point to auditor-laptop and start the Burp accordingly.





2) Then browser the URL http://burp in device and download the CA Certificate and install the same on device.



Same can be verified as shown below.




3) Then install the Cydia Substrate and Android SSL TrustKiller in the rooted device.




4) Open the Substrate app.




Click on Link Substrate Files, grant root privileges and then click on Restart System (Soft). This would restart the device.




5) Now browse the target application, it would start appearing in the burp.

Note : We have used the Appie, Genymotion and Burpsuite for demo.

Comments

  1. Nice article! Good for android app testing.

    ReplyDelete
  2. I am not able to install cydia substrate in geny motion. When I try to open and click on link substrate I am getting error permission denied.

    have faced this issue..?

    ReplyDelete
    Replies
    1. You might want to update your Super SU Library :)

      Delete

Post a comment

Popular Posts