CA and SSL pinning protections
Tutorials

CA and Bypass SSL pinning protection on Android

Adding CA to an Android system and bypass SSL pinning protections are two very important steps in testing the security of different applications.

After my latest article – How To Install And Root Your Android Emulator – I received a couple of questions about what to do next.

In the article that I mention above I explain how to implement a fully functional rooted Android emulator. This is the first requirement if you want to learn, how to do penetration test on Android applications.
I hope you managed to implement the emulator on your own system.

What’s the next challenge?

One of the most important techniques used in penetration tests is to intercept the requests that the application is sending to the server, and also, to see the responses that the applications is receiving from the server. This is true for every kind of application that I am testing, either WEB application, or mobile, even desktop applications.

Most of the times, when I want to intercept requests and responses from a mobile application, I face the problem of being unable to see any requests. This is happening because, most of mobile applications have SSL pinning implementation.

SSL Pinning is a technique that clients use to avoid man-in-the-middle attack by validating the server certificates again even after SSL handshaking.

In today’s article, I will implement a step-by-step method in order to bypass SSL pinning protection on mobile applications.

So, let’s jump to the technical part. We test the setup using Ubuntu 19.04 – as the host and Android 7.1.1 – as the guest.

What tools do I need?

Firstly, I need a tool which is able to intercept the requests/responses, and I will use Burp Suite, which can be downloaded from here: https://portswigger.net/burp
In case you don’t want to use Burp, other very good alternatives are :

Next, I need Android environment, on which I install the application that I want to test. In the first part of the article I describe this step.

Other tools that we need are:

  • Installed on Ubuntu: Openssl , Frida and Objection
  • Installed on emulator: Frida server

What steps should I follow in order to bypass SSL pinning?

1. Redirect all of the emulator network traffic, through a proxy server, which, in this case will be Burp tool.

You can do this by opening the configuration tab of your emulator, click on Settings and select Proxy menu. Check the “Manual proxy configuration” and enter the address IP and port number on which Burp proxy server is listening, and hist Apply button, as you see in figure 1. Make sure that the address IP and port number that you enter are the same to those that you use for proxy listener.

Figure 1: Android emulator proxy settings

2. Install the Burp CA as a system-level certificate on the Android emulator

Trusted CAs for Android are stored in a special format in /system/etc/security/ characters. If the Android emulator is rooted, it’s possible to copy the certificate to this location.

Using Burp Suite, export the CA Certificate in DER format. I saved it as cacert.der

Figure 2: Export CA from Burp in DER format

In order to have the CA recognized by Android, we have to convert it into PEM format, and we can do that by typing the following commands in Ubuntu terminal:

openssl x509 -inform DER -in cacert.der -out cacert.pem
This command will generate the PEM format certificate , based on the file exported from Burp.

openssl x509 -inform PEM -subject_hash_old -in cacert.pem |head -1  
This command will generate a hash value, which will be used in the next command.

mv cacert.pem <hash-from-previous-command>.0
Rename the PEM file in a proper way so the Android emulator can recognise it.

Figure 3: Convert to PEM format

The file is now ready and you can copy it into Android certificate files. For this use the adb tool – which was described in the first part of the article.
After you turn the emulator on, the following commands should be introduced in Ubuntu terminal:

  • adb root – Will restart the adb as root
  • adb remount – Remount the system as writable
  • adb push 9a5ba575.0 /sdcard –Transfer the certificate to the Android device.
  • adb shell – This command opens a shell to the Android device, so the next commands will be given to the Android system
  • mv /sdcard/9a5ba575.0  /system/etc/security/cacerts/ – Move the file to the location where is the storage of all the system certificates
  • mv /sdcard/9a5ba575.0  /system/etc/security/cacerts/ – Move the file to the location where is the storage of all the system certificates
  • chmod 644 /system/etc/security/cacerts/9a5ba575.0 – Give the permission needed to the file
  • reboot – Will reboot the device

I can check to see if all the steps went well, by accessing the Settings -> Security -> Trusted Credentials on Android device, and I should be able to see the new “Portswigger CA” as a system trusted CA, like you can see in figure 3.

Figure 4: Portswigger as a system trusted CA

3. Set up Frida and Objection

You should give the following commands in Ubuntu terminal, in order to install Frida and Objection to your Ubuntu host.

pip3 install frida
pip3 install objection

Next, we have to install Frida-server on Android emulator. You can download Frida-server from here: https://github.com/frida/frida/releases/

If you followed the steps from the first part of the article, the android-x86 version of Frida server should work for your emulator, so you can proceed to download the archive and extract it. After you extract the file you have to copy it to the Android system, and you can do that by typing the following command into your Ubuntu terminal.
adb push frida-server-12.4.8-android-x86 /data/local/tmp/

Now, we have to give the permission needed to the file that we just transferred, by typing the following command into adb shell:

chmod 777 frida-server-12.4.8-android-x86

In order to check if Frida installation went well, the following commands can be given :

In adb shell: ./data/local/tmp/frida-server-12.4.8-android-x86 &. This command will run the frida server on your Android emulator.
In Ubuntu terminal, type :

frida-ps -U

If everything went well with installation, you should see something similar as in figure 5.

Figure 5: Run and check if Frida-server is running properly

Now, it’s time to test if this solution is working properly. In order to do this, Frida-server needs to be running on the emulator.
Open the application that you want to test for SSL pinning, in Android and enter the following command in your Ubuntu terminal: objection -g <name-of-your-application> explore

In the Objection interface that have been opened after the previous command type the following: android sslpinning disable –quiet ,and now, Burp suite should be able to intercept all the requests that the application is sending.

In figure 6, you can see a screenshot with Objection running.

Figure 6:Objection interface

You can find out the full name of the application that you want to test, by searching for it in the /data/data/ folder in your Android device, within adb shell, as you can see in figure 7.

Figure 7: Search for the full name of the application

If you got here, well done!

You have just implemented one of many solutions available to bypass the SSL pinning protection on Android applications.

The solution presented above is the one that worked best for me during my penetration tests on Android application, but you can find online multiple methods of bypassing SSL pinning, some of them are easier to implement, and are resuming to just install an application, for example SSL Kill Switch, available here:
https://github.com/nabla-c0d3/ssl-kill-switch2 , which will do all the magic for you. Some of them require a bit more technical skills, like reverse engineering the Android application.

Write to me, in the comment section below if you use different methods in order to bypass the SSL pinning.

Leave a Reply

Your email address will not be published. Required fields are marked *