MITM/SSL pinning protection bypass for android applications

This post lists down a few of the MITM/SSL pinning protection bypass techniques which I found useful during my android application security assessments.

Xposed framework modules

There are multiple Xposed modules available to get this work done.These modules leverages techniques such as hiding root process, APK, fuction hooking, etc to bypass such protections. Below are the links to few of these modules which has helped me in the past.

Frida

Frida is a dynamic instrumentation framework which can be used to inject javscript snippets or library into native apps.There are multiple frida scripts available for bypassing ssl pinning. I am listing few of them below. It works for me most of time.

Objection

Objection is a frida powered framework used for runtime mobile exploration.This can also be used to automate the SSL pinning bypass procedure.

Overwrite certificates

Sometimes certificates are stored inside application folder which can be replaced with custom certificates. This will require you to decompile the application and locate any certificates inside the application folders. Replace the cert or put Burp's certificate inside the folder and recompile the application. For signing the application you can use sign.jar and then install the application to inspect traffic using burp.

Network security config.xml

network config file /res/xml/network_security_config.xml can be modified to intercept the application traffic.

Read more about network security config

Replace the XML file with code below and recompile the application to intercept traffic.

network_security_config.xml

<network-security-config>
   <base-config>
       <trust-anchors>
           <!-- Trust preinstalled CAs -->
           <certificates src="system" />
           <!-- Additionally trust user added CAs -->
           <certificates src="user" />
       </trust-anchors>
   </base-config>
</network-security-config>

Keystore manipulation

It is possible to manipulate BKS file which contains CA for SSL pinning. Most of the time it is stored inside the /res/raw folder. These BKS files are generally accessible without any password or the password can be found hardcoded inside the application. In a similar situation one can edit the BKS file to put a custom certificate to intercept the traffic.

In below example, I decompiled the application using apktool and went to /res/raw folder and found a BKS file, the password for which was hardcoded.

I added burp's CA to the BKS store and could bypass the MITM restriction.

Patching Application code

It is generally possible to reverse the certificate pinning code to bypass the restriction. It will require understanding of the code and the process may differ most of time.

Below are few of the examples where people have reversed the application code to bypass MITM restriction.

PreviousAbout Me 😎NextCertified Red Team Professional

Last updated 5 years ago

<network-security-config> <base-config> <trust-anchors>  <certificates src="system" />  <certificates src="user" /> </trust-anchors> </base-config> </network-security-config>