Bypass Certificate Pinning on Android
Update: This blog post has gotten a lot more attention than anything else I have written, so I have also written up an advanced guide for more complex SSL pinning bypass techniques:
https://blog.jamie.holdings/2019/01/19/advanced-certificate-bypassing-in-android-with-frida/
A common requirement when performing security research is to intercept encrypted traffic using your own root SSL certificate.
However, sometimes apps do something called Certificate Pinning, where they will have something about the certificate of the web server they're connecting to embedded within the app. When making a connection to the web server, if the certificate information doesn't match the embedded data, it will fail the connection. If we're using our own custom-made root cert, this is a problem, as we'll be generating SSL certs on-the-fly for any domain going through out proxy, which will no longer match the certificate the app is expecting.
But no fear! There are still some tricks we can try. One pretty successful one I will cover here.
Enter Objection
https://github.com/sensepost/objection
Objection is a rather fantastic injection toolkit for iOS and Android. Essentially it will embed itself within an APK package, which you can install and run. Once the app is running, you can connect to it from your computer and generally mess around within the running process live. While the app is running you can be editing it's database, rewriting memory, or list class methods.
Conveniently, Objection has a built-in module for bypassing certificate pinning. This bypasses a lot of well-known methods of certificate pinning, so chances are this will work out of the box.
Install Objection
You'll need to install the following:
- Python 3.7.x
- Pip 3 (should come with Python installer)
- Android SDK (make sure both adb and aapt are in your PATH)
- apktool (make sure the bat file is also in your PATH)
Once the above is installed, run the following to install Objection.
pip3 install objection
And you're good to go!
Preparing the APK
Grab the APK you want to inject, and run the following (replacing the APK filename):
objection patchapk -s base.apk
This will take a little while...
Once done you'll have a new apk with ".objection" added to the filename. Install this to your device.
adb install -r base.objection.apk
That's it!
Running Objection
Now you'll want to start the app on your device.
Once you've started the app, return to your computer and run the command:
objection explore
This will start a live terminal allowing you to explore the app. Everything else you can do here is beyond the scope of this post, but the killer command you'll be after is this one:
android sslpinning disable
You'll hopefully start seeing some log entries appear where objection has intercepted a certificate pin request.
If this doesn't immediately work, you may need to restart the app on your device and run the above command quickly while the app is booting.