Modern-day mobile applications implement additional levels of security controls that prevent an attacker from intercepting the content for the HTTPS connection. Such implementation won’t allow common proxy tools to intercept and log the application traffic.

This can lead to a major obstacle for security researchers or penetration testers as it would deter the attempts to man-in-the-middle the communication between the mobile app and the server endpoint.

In this blog, we will discuss our recent experience in bypassing SSL certificate pinning on a finance sector mobile application. The blog focuses on the bypass technique used on the Android platform.

The Concept of Certificate Pinning

In HTTPS connection, a three-way handshake is performed between the mobile application and the server, where the server’s certificate is checked on the basis of a trusted certificate authority.

With the certificate pinning into the picture, applications make use of their self-signed certificate and perform validations on the certificate’s issuer while the application is executed on the Android device. The application will be coded in a way to trust only a known set of issuers, such that the application will not validate any other certificate and prevent the application’s traffic from being available over unrecognised certificates. This concept of using a self-signed valid certificate is known as Certificate Pinning.

What is Frida?

Frida is a framework that is used by multiple platforms to perform code injection. The injection is performed on a process level, wherein a process is hooked to override the return value of any function within an Android application.

In an event of SSL Pinning the logic of the certificate check will return a ‘true’ flag when an invalid certificate is encountered, Frida can help us override the result of the pinning validation by changing the response flag from ‘true’ to ‘false’.

Frida Setup on Windows

In this blog, we have used Python 3.7. You can download Python 3.7 for Windows from here.

After the installation, navigate to the folder “Python37\Scripts\” and enter the following commands:

pip install frida

pip install objection

pip install frida-tools

Frida Setup on Android Device

Before you begin, ensure that the Android device is rooted and USB debugging is enabled.

Download adb and fastboot - platform-tools for windows

‍

Connect and detect your device using the below command.

adb devices

Click on allow for USB debugging popup. Identify the architecture version of the android device using the following command:

adb shell getprop ro.product.cpu.abi

Download the frida-server for your android architecture.

‍

Push the frida-server into the rooted android device with ADB command:

adb push {{Download_folder_name}} \frida-server /data/local/tmp

Provide read, write and executable permissions to the frida-server:

adb shell chmod 777 /data/local/tmp/frida-server

Download the proxy tool’s certificate, in this blog we made use of Burpsuite’s proxy certificate. In BurpSuite navigate to Proxy > Options, under proxy listeners click on ‘Import / Export CA Certificate’

‍

Push the certificate to the same location in which frida-server was pushed, using the below command. We have mentioned the extension of the certificate as ‘crt’ in the command to rename the certificate file.

adb push cacert.der /data/local/tmp/cert-der.crt

Set up a proxy on the android device from the wifi settings, refer here for reference.

Add logic to bypass SSL pinning in the form of ‘js’ script. This script will instruct Frida to perform manipulations and override the application’s response for SSL pinning. This application made use of some libraries in which a basic script will not help Frida in bypassing SSL pinning. Hence we made use of a universal script to bypass SSL pinning. The script is capable of bypassing various modern SSL Pinning methods such as:

Appcelerator
TrustManagerImpl
trustkit
okhttp3
Sensepost Trustmanager

Rename the downloaded script to ‘fridascript.js’ and move it to ‘\platform-tools\’ folder. Also, push the frida script into the same folder on the android device where frida is installed, using the below command:

adb push C:\platform-tools\fridascript.js /data/local/tmp

Bypass SSL Certificate Pinning with Frida

Execute the frida server on the android device using the below commands:

adb shell

su

cd /data/local/tmp

./frida-server &

In the windows device navigate to the folder “Python37\Scripts\” where frida is installed and enter the below command to list all the running processes on the device:

frida-ps -U

The application package can be located from the list of processes, additionally, the package can also be detected from the manifest file of the application.

‍