首页
社区
课程
招聘
[转帖]Bypassing OkHttp Certificate Pinning
发表于: 2020-2-25 11:06 2787

[转帖]Bypassing OkHttp Certificate Pinning

2020-2-25 11:06
2787

Original link: https://captmeelo.com/pentest/2020/02/24/bypass-okhttp-cert-pinning.html

 

Yesterday, I was analyzing an Android application which uses OkHttp for certificate pinning. It took me hours to analyze the app, and have tried different methods to circumvent the app’s certificate pinning implementation. If I had only been monitoring the system log while running the app, I could have done it in just a matter of minutes. I might have wasted a lot of time and effort, but at least I’ve learned.

 

Here’s my write up on how I bypassed OkHttp’s Certificate Pinning implementation.

Attempt #1: Using Xposed Modules

Since I had Xposed running on my test device, I first used the modules SSLUnpinning and TrustMeAlready. I know these modules are outdated, but it might still work. Unfortunately, it didn’t work on the app that I’m testing.

Attempt #2: Using Frida Scripts

My second attempt involved the use of Frida. After setting it up on my test device, I immediately tried the “most popular” Frida script on CodeShare which is the Universal Android SSL Pinning Bypass script. But what I got was just an error.

 

I tried another script but no luck as well. It did not even successfully detect the certificate pinning implementation used by the app.

 

I ended up trying all Frida scripts from CodeShare related to certificate pinning bypass but none of them worked.

Attempt #3: Via Manual Modification

I decided to look at the system log to see what’s happening in the background when the app is running. From the app’s log, I found the following certificate fingerprints (highlighted in green). Log

 

Basically, the app checks for these fingerprints. If the fingerprint from the certificate chain matches one of the pinned fingerprints, then the peer’s identity has been verified and SSL pinning can be bypassed.

 

Before I could inject Burp’s certificate fingerprint, I first decompiled the app and look for the file where these pinned certificates were located. From the output below, the pinned fingerprints were located in /res/values/arrays.xml. Location

 

I then injected Burp’s certificate fingerprint to the list inside /res/values/arrays.xml. Modification

 

Lastly, I recompiled the app and installed it. Rebuild

 

Install

 

That’s it! I was able to bypass the app’s certificate pinning mechanism. Burp

 

Lesson Learned: Always keep an eye on the system log while running the target application.


[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 0
支持
分享
最新回复 (1)
雪    币: 83
活跃值: (1092)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
2
已读
2020-2-25 16:14
0
游客
登录 | 注册 方可回帖
返回
//