SSL Pinning: Introduction & Bypass for Android
What is SSL Pinning ?
SSL pinning allows the application to only trust the valid or pre-defined certificate or Public Key. The application developer uses SSL pinning technique as an additional security layer for application traffic. As normally, application trusts custom certificate and allows application to intercept the traffic. But in the SSL Pinning implementation, application does not trust custom certificates and does not allow proxy tools to intercept the traffic.
Why do we need to implement SSL Pinning ?
SSL Pinning is an additional security layer to prevent MITM attack( Man in the Middle Attack) or sniffing data. To intercept the request, we mostly use a proxy tool. The proxy tool installs its own certificate on the device and application trust that certificate as a valid certificate and allow proxy tool to intercept application traffic.
Ways to Implement SSL Pinning :-
- Certificate Pinning
- Public Key Pinning
- Certificate Pinning :- In certificate pinning , the developer hardcodes some bytecode of SSL certificate into application code. When the application communicates with the server, it checks whether the same bytecode is present in a certificate or not. If it is present, the application sends a request to the server. If the bytecode does not match it will throw an SSL certificate error. This technique prevents an attacker to use his/her own self-signed certificate.
- Public Key Pinning :- In public key pinning when a customer visits a website, the server pins (by way of injecting it) its public key in client (customer’s) browser. When the client revisits the same website, the server identifies its public key to check the integrity of the connection. This technique also prevents an attacker from using his/her self-signed certificate.
SSL Pinning Bypass :-
SSL Pinning can be bypassed using several ways, if it is not properly implemented or configured.
Some of SSL Pinning bypass techniques are :-
- Using automated tools
- By Reverse engineering ( Modifying Smali code)
- Hooking
èUsing Automated tools :- There are multiple open source tools available to bypass SSL Pinning. Some of them are SSL Unpinned and Inspeckage.
But in many cases, the application source code is obfuscated, and developers hide the code of SSL pinning in such a way that it becomes very difficult for the tools or framework to find SSL pinning code. One of the biggest disadvantages of using automated tools is that most tools require a rooted device. So, if application does not work on a rooted device, SSL pinning cannot be bypassed using automated tools.
èBy Reverse engineering (Modifying Smali Code) :- For bypassing SSL Pinning ,the most used attack vector is by performing reverse engineering. It is an easy task to perform reverse engineering of android application and see how the application is built. We can use tools like apktool to decompile the application and understand the application code. when you decompile the apk there are many directories such as smali, assets, lib etc which contains critical files such including the SSL pinning code , application logics etc. To bypass SSL pinning, the attacker must find the pinning code and tamper its validation or trust check. After the modification, attacker recompiles the code using apktool and signs the application with his/her own private key using Jarsigner(private key is generated using Keytool).
Steps to Reproduce :-
- Download the application for bypassing SSL Pinning.
- Download apktool ( Apktool is command line tool basically used for decompiling and recompiling of apk)
- Now use apktool to decompile the application.
- apktool d application.apk
- Using above command, application gets decompiled and we get access to all the apk code and directories such as smali, lib, original, unknown, assets, build, res and smali_classes.
- Decompiled code contains smali code (it contains java or Kotlin code). So, modification of code requires understanding of the code.
- Now find the ssl pinning code, mostly ssl pinning code contains functions such as checkservertrust, checkclienttrust(Contains , x509, okhttp3,certificate pinner etc. These codes or functions are basically used to check that issuer certificate or public key byte codes. By understanding the code and modifying the function output accordingly can help in SSL pinning bypass.
- Sometimes, pinning code returns null (return-void), so if we provide the return null value in the start of the function, function will not be able to execute certificate verification code.
For details, please go through the below images of SSL Pinning code modification.
Before modification of checkservertrust and checkclienttrust code. ( In this code, the application is checking SSL certificate and throwing an exception in case of the wrong certificate. But the code function is returning null value)
After modification of checkservertrust and checkclienttrust code.( In this code, as functions are returning null value( return-void), so we modified the code and insert the return-void in the initiation of the function.
After modification, recompile the application using apktool.
- Apktool b application(Application directory)
Apktool creates directory in the decompile code directory(dist) and in the dist directory new and modified apk is created.
We can use the keytool to generate the private key which can be used to sign the application. As in android application will not be installed if not signed.
keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000
Now sign the modified new apk with the generated private key using Jarsigner.
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore my_application.apk alias_name
In the android device, now delete the old application and install the new modified application and then intercept the traffic using proxy tool.
Hooking
Hooking is the technique used for modification or tampering of the application behaviour at runtime. It can be achieved using Frida tool. Frida is the framework which can be used for dynamic or runtime code modification. In Frida, the code is injected in the application and then modify instruction code using the injected code.
In some cases, android application is obfuscated ( In obfuscation, classes of the android application are replaced with some random alphabets which makes very difficult for the attacker to understand the code.)
But it cannot prevent the SSL pinning, as obfuscation only makes code harder to understand. In case of obfuscated application classes, we can try to find the function name or keywords to understand the code and bypass SSL pinning. As the code is obfuscated, we can use string finding tools such as Agent ransack to find the keywords and modify the code accordingly.
Prevention of SSL Pinning Bypass :-
SSL Pinning Bypass can be prevented using two-way SSL authentication. Two-way SSL Authentication also known as mutual authentication between client and server. The application acts as SSL client and send its certificate to the SSL server to validate after SSL server validates itself to the SSL client.
Mostly implementation of Two-way SSL is complex, so if we can prevent the modification or reverse engineering of android application that would basically avoid the SSL Pinning bypass using reverse engineering or Hooking method.
Tools which can be used for Bypassing SSL Pinning :-
- Apktool ( Command line tool which can be used for compiling and decompiling of the android application)
- Keytool ( Command line tool used for private key generation)
- Jarsigner (Command line tool used for signing the application)
- Agent ransack (GUI tool which can be used for finding the string or function)
- Easy Apktool (GUI tool which can be used for compiling, decompiling as well signing of the application)
- String finder (GUI tool which can be used for finding the string or function)
For more blogs click here