130n@calvinlai.com
  • About Calvin Lai (fkclai)
  • My Work
  • Information Security Centre (ISC)
    • Why we need a ISC
    • ISC Team Structure: Roles, Functions, and Tools
      • Key Function & Role
      • Tools
      • People
      • Outsource Strategy
    • HRMC Executive Paper
  • Application Security
    • Secure Coding Principles
    • HTTP Header Security Principles
    • Mitigating Broken Object Level Authorization (BOLA)
    • Spring Boot Validation
    • Output Encoding in JavaServer Faces (JSF)
    • Session Management Security Issues
    • Common API Security Problems
      • Broken Authentication
      • Excessive Data Exposure
      • Lack of Resources & Rate Limiting
      • Broken Function Level Authorization
      • Unsafe Consumption of APIs
    • JAVA Exception Handling
    • File Upload Validation
    • OAuth 2.0 Security
      • Insecure Storage of Access Tokens
    • Microservice Security
      • Sample Coding Demo
        • Service Implementation
        • Client Interaction
      • Security Solution for Microservices Architecture
    • Modifying and Protecting Java Class Files
      • Modify a Class File Inside a WAR File
      • Direct Bytecode Editing
        • Steps to Directly Edit a Java Class File
          • Update: Java Bytecode Editing Tools
      • Techniques to Protect Java Class Files
        • Runtime Decryption in WebLogic
    • JAVA Program
      • Secure, Concurrent Web Access Using Java and Tor
      • Creating a Maven Java project in Visual Studio Code
  • Exploit/CVE PoC
    • ZeroLogon Exploit
    • Remote Retrieved Chrome saved Encrypted Password
    • Twitter Control an RCE attack
  • Hacking Report (HTB)
    • Hits & Summary
      • Tools & Cheat Sheet
    • Windows Machine
      • Love 10.10.10.239
      • Blackfield 10.10.10.192
      • Remote 10.10.10.180
      • Sauna 10.10.10.175
      • Forest 10.10.10.161
      • Sniper
      • Json
      • Heist
      • Blue
      • Legacy
      • Resolute
      • Cascade
    • Linux Machine
      • Photobomb 10.10.11.182
      • Pandora 10.10.11.136
      • BountyHunter 10.10.11.100
      • CAP 10.10.10.245
      • Spectra 10.10.10.229
      • Ready 10.10.10.220
      • Doctor 10.10.10.209
      • Bucket 10.10.10.212
      • Blunder 10.10.10.191
      • Registry 10.10.10.159
      • Magic
      • Tabby
  • Penetration Testing
    • Web Application PenTest
    • Network/System PenTest
    • Mobile Penetration Test
      • Certificate Pinning
        • Certificate Pinning Bypass (Android)
          • Root a Android Device
          • Setup Proxy Tool - Burp Suite
      • Checklist
  • Threat Intelligence
    • Advanced Persistent Threat (APT) groups
      • North Korean APT Groups
      • Chinese APT Groups
      • Russian APT Groups
      • Other APT
  • Red Team (Windows)
    • 01 Reconnaissance
    • 02 Privileges Escalation
    • 03 Lateral Movement
    • 04 AD Attacks
      • DCSync
    • 05 Bypass-Evasion
    • 06 Kerberos Attack
    • 99 Basic Command
  • Exploitation Guide
    • 01 Reconnaissance
    • 02 Port Enumeration
    • 03 Web Enumeration
    • 04 Windows Enum & Exploit
      • Windows Credential Dumping
        • Credential Dumping: SAM
        • Credential Dumping: DCSync
      • Kerberos Attack
      • RDP
    • 05 File Enumeration
    • 06 Reverse Shell Cheat Sheet
      • Windows Reverse Shell
      • Linux Reverse Shell
    • 07 SQL Injection
    • 08 BruteForce
    • 09 XSS Bypass Checklist
    • 10 Spring Boot
    • 11 WPA
    • 12 Payload list
  • Vuln Hub (Writeup)
    • MrRobot
    • CYBERRY
    • MATRIX 1
    • Node-1
    • DPwwn-1
    • DC7
    • AiWeb-2
    • AiWeb-1
    • BrainPan
  • CTF (Writeup & Tips)
    • CTF Tools & Tips
    • Hacker One
    • CTF Learn
    • P.W.N. University - CTF 2018
    • HITCON
    • Pwnable
      • 01 Start
  • Useful Command/Tools
    • Kali
    • Windows
    • Linux
  • Offensive Security Lab & Exam
    • Lab
    • Tools for an Offensive Certification
      • Strategy for an Offensive Exam Certification
        • CVEs
        • Privilege Escalation
        • Commands
        • Impacket
  • ISO 27001
    • Disclaimer
    • What is ISO 27001
      • Implementation
    • Documentation
    • Common Mistake
    • Q&A
      • Can internal audit to replace the risk assessment
      • Is it sufficient for only the IT department head to support the ISO 27001 program
      • Does the Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) are the same?
    • ISO 27001 Controls and Domains
      • 1. Information Security Policies
      • 2. Organization of Information Security
      • 3. Human Resource Security
      • 4. Asset Management
      • 5. Access Control
      • 6. Cryptographic Controls
      • 7. Physical and Environmental Security
      • 8: Operational Security
      • 9. Communications Security
      • 10. System Acquisition, Development, and Maintenance
      • 11. Supplier Relationships
      • 12: Information Security Incident Management
      • 13. Information Security Aspects of Business Continuity Management
      • 14. Compliance
Powered by GitBook
On this page
  • Method 1: Using Frida
  • Method 2: Using Xposed Framework and JustTrustMe
  • Method 3: Modifying APK

Was this helpful?

  1. Penetration Testing
  2. Mobile Penetration Test
  3. Certificate Pinning

Certificate Pinning Bypass (Android)

Bypassing certificate pinning using three different methods: Frida, Xposed Framework with JustTrustMe, and Modifying APK.

Method 1: Using Frida

Frida is a powerful tool for dynamic instrumentation, allowing you to hook into an app's runtime and modify its behavior.

Steps to Implement Certificate Pinning Bypass with Frida:

  1. Set Up Your Environment:

  • Install Frida on your testing device and your computer.

    • On your computer:

      bash

      pip install frida-tools

    • On your Android device:

      bash

      adb push frida-server /data/local/tmp/
adb shell "chmod 755 /data/local/tmp/frida-server"
adb shell "/data/local/tmp/frida-server &"

    Reference to the Frida installation guide for details.

  1. Create a Bypass Script:

  • Write a Frida script to bypass SSL pinning. Save the script as bypass_script.js.

    // Frida script to bypass SSL pinning
Java.perform(function () {
    var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
    var SSLContext = Java.use('javax.net.ssl.SSLContext');

    // Custom TrustManager that does not validate certificates
    var TrustManager = Java.registerClass({
        name: 'com.example.TrustManager',
        implements: [X509TrustManager],
        methods: {
            checkClientTrusted: function (chain, authType) {},
            checkServerTrusted: function (chain, authType) {},
            getAcceptedIssuers: function () { return []; }
        }
    });

    // Hook SSLContext to use our custom TrustManager
    SSLContext.init.overload(
        '[Ljavax.net.ssl.KeyManager;',
        '[Ljavax.net.ssl.TrustManager;',
        'java.security.SecureRandom'
    ).implementation = function (keyManager, trustManager, secureRandom) {
        var customTrustManager = [TrustManager.$new()];
        this.init(keyManager, customTrustManager, secureRandom);
    };
});

  1. Run the Script:

  • Use Frida to run the script on your Android device. Ensure your device is connected and Frida server is running:

    frida -U -f com.yourapp.package -l bypass_script.js --no-pause

  1. Test the App:

  • Set Up Proxy Tool - Burp Suite

  • Interact with the app and monitor network traffic using tools like Burp Suite to ensure the certificate pinning is bypassed.

Method 2: Using Xposed Framework and JustTrustMe

Prerequisites

  • Rooted Android Device: Ensure your device is rooted to install the Xposed Framework.

  • Xposed Framework Installed: The Xposed Framework should be installed on your rooted device.

Steps:

  1. Root Your Android Device:

    • Ensure your Android device is rooted. You can find specific guides for rooting your device based on its model and Android version. Popular tools for rooting include Magisk and Azerokit.

    • Follow the Root a Android Device for details

  2. Install Xposed Framework:

    • Download the Xposed Installer APK from the official Xposed website.

    • Install the Xposed Installer APK on your device.

    • Open the Xposed Installer and install the framework by selecting "Framework" and then "Install/Update."

    • Reboot your device to apply the changes.

  3. Install JustTrustMe Module:

    • Open the Xposed Installer app.

    • Go to the "Downloads" section and search for the "JustTrustMe" module.

    • Download and install the JustTrustMe module.

    • After installation, go to the "Modules" section in the Xposed Installer and check the box next to JustTrustMe to activate it.

  4. Reboot Your Device:

    • Reboot your device to apply the changes and ensure the module is active.

  5. Set Up Proxy Tool - Burp Suite

  6. Test the App:

    • Open your app and perform actions that require network communication.

    • With JustTrustMe activated, the app should bypass certificate pinning, allowing Burp Suite to intercept and analyze the traffic.

  7. Monitor Network Traffic:

    • Use Burp Suite to monitor and analyze the intercepted traffic. You should now be able to see and manipulate the encrypted data that the app sends and receives.

Method 3: Modifying APK

Prerequisites

  • APKTool installed on your computer.

  • Java Development Kit (JDK) installed.

  • Android Debug Bridge (ADB) installed and set up.

  • Rooted Android Device (optional for some steps).

Steps:

  1. Set Up Your Environment:

    • Ensure you have APKTool, JDK, and ADB installed.

    • Set up the environment variables for JDK and ADB for easy access.

  2. Decompile the APK:

    • Use APKTool to decompile the APK. This will convert the APK into a set of readable files and folders.

      apktool d yourapp.apk -o yourapp

    • The yourapp directory will contain the decompiled files.

  3. Locate Certificate Pinning Logic:

    • Navigate through the decompiled files to find the network-related code. This is usually located in classes related to SSL/TLS connections.

    • Use a text editor or IDE to search for keywords like TrustManager, HostnameVerifier, checkServerTrusted, or SSLContext.

  4. Modify the Code:

    • Modify the pinning logic to bypass the certificate checks. You can either comment out the pinning logic or modify it to accept all certificates. Example:

      // Original pinning logic
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
    // Validate the server certificate
}

// Modified pinning logic
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
    // Accept all certificates
}

    • Ensure all necessary changes are made to bypass the pinning.

  5. Recompile the APK:

    • Use APKTool to recompile the modified APK.

      apktool b yourapp -o yourapp-modified.apk

    • The recompiled APK (yourapp-modified.apk) will be generated in the specified output directory.

  6. Sign the APK:

    • The recompiled APK needs to be signed before it can be installed on your device. Use the JDK's jarsigner tool to sign the APK with a debug certificate.

      jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore ~/.android/debug.keystore yourapp-modified.apk androiddebugkey

    • When prompted, use the default keystore password (android).

  7. Install the Modified APK:

    • Use ADB to install the modified APK on your Android device.

      bash

      adb install yourapp-modified.apk

    • If the app is already installed, you may need to uninstall the existing version first:

      bash

      adb uninstall com.yourapp.package
adb install yourapp-modified.apk

  8. Test the App:

    • Open the modified app on your Android device and perform actions that require network communication.

    • Use tools like Burp Suite to intercept and analyze the traffic. The certificate pinning should be bypassed, allowing you to intercept the SSL/TLS traffic.

PreviousCertificate PinningNextRoot a Android Device

Last updated 3 months ago

Was this helpful?