SSL Pinning Bypass

https://redhuntlabs.com/wp-content/uploads/2023/07/Ultimate-Guide-to-SSL-Pinning-Bypass-RedHunt-Labs.pdf

Bypassing SSL pinning using Xposed [ JustTrustMe Module ]

to analyze the network traffic of an Android application is very much important from a penetration tester point of view to find vulnerable endpoints and functionality.

Xposed framework “JustTrustMe” module: To bypass the spinning Xposed framework “JustTrustMe” module is used.it helps in disabling the SSL certificate checking.

Step 1: Download JustTrustMe apk here

Step 2: Goto downloaded the folder of apk and open CLI.

Run “adb install JustTrustMe.apk” and accept the allow option in Mobile at the same time.

Step 3: Open Xposed, go to modules and checkmark “JustTrustMe”

JustTrustMe Module enabled

Step 4: Reboot your device. Now you will be able to capture the application traffic using the proxy.

Frida

Frida is a dynamic instrumentation framework that allows you to hook and change the mobile app's logic at runtime. Frida is so powerful that it "requires its own ultimate" guide to list all its features.

xz -d frida-server-17.2.15-android-arm64.xz
mv frida-server-17.2.15-android-arm64 frida-server
adb push frida-server /data/local/tmp/
adb shell
cd /data/local/tmp
chmod 755 frida-server
./frida-server &
frida-ps -Uia | grep -i pinning
frida --codeshare akabe1/frida-multiple-unpinning -U -f <appname>
frida -U -N org.secuso.privacyfriendlydicer
## hook the pplication before running 
frida -U -f org.secuso.privacyfriendlydicer -l hook.js
frida -U -f org.secuso.privacyfriendlydicer -l hook.js --no-pause

Objection

pip3 install objection
objection patchapk -s package.apk
objection explore --startup-command 'android sslpinning disable'

Frida Gadget

You can automate this by using the above Objection command: 

 objection patchapk s package.apk

Else, you can follow the manual way of patching the apk described in this guide.

Once the APK is patched, install Frida tools on the attacker machine using pip3 install frida-tools. After installing, you will see programs like frida, frida-ps, frida-Is-devices on your system.

Install the patched APK on an Android device and open it. The app waits till Frida connects to the Frida gadget. The output of

APKLAB

LogoGetting StartedAPKLab

Android SSL Trustkiller

LogoGitHub - iSECPartners/Android-SSL-TrustKiller: Bypass SSL certificate pinning for most applicationsGitHub

Inspeckage

LogoGitHub - ac-pm/Inspeckage: Android Package Inspector - dynamic analysis with api hooks, start unexported activities and more. (Xposed Module)GitHub

SSL Unpinning

LogoGitHub - ac-pm/SSLUnpinning_Xposed: Android Xposed Module to bypass SSL certificate validation (Certificate Pinning).GitHub
PreviousAndroid App Pentesting ChecklistNextHow To Get APK file for application

Last updated

Was this helpful?