Вы находитесь на странице: 1из 6

Certificate Pinning

CertificatePinningisanextralayerofsecuritythatisusedbyapplicationstoensurethatthe

certificateprovidedbytheremoteserveristheonewhichisexpected.

Byincludingtheremoteserver’sx509certificateorpublickeywithintheapplication,itis

possibletocomparethelocallystoredcertificateorkeywiththeoneprovidedbytheremote

server.Ifstoringalocalcertificatecausestoomuchhassle,onecanuseCertificatePinners

fromclientslikeOKHTTP,inwhichcertainattributesoftheservercertificateareusedas

verifiers.

verifiers. Screenshot of Facebook app with Certificate Pinning enabled.

Screenshot of Facebook app with Certificate Pinning enabled.

Ifyouhavebeenunabletointercept(Man­in­the­Middle)theapplication’sHTTPStraffic,

aftertakingthenecessarysteps,thisisprobablyduetotheapplicationusingCertificate

Pinning.

BypassingCertificatePinning

CertificatePinningisaclient­sidesecuritymeasurethatcanbebypassedbymanipulating

theapplicationoritsenvironment.

Applicationscanbedisassembledtoremoveormanipulatethecertificatepinninglogic.It

mayalsobepossibletoswitchthecertificateembeddedwithintheapplicationwithanother.

Sometoolsexistfordifferentmobileplatformswhichcanautomaticallydisablecertificate

pinning.Thesetoolsmaynotnecessarilybekeptuptodateandyoumayneedtotrythe

manualapproachesdiscussedabove.

iOSApplications

Bothofthefollowingtoolsneedjailbrokendevicesastheymanipulatetheapplicationor

deviceduringruntimetodisableCertificatePinning.

● iOSSSLKillSwitchpatcheslow­levelSSLfunctionswithintheSecureTransportAPI

● iOSTrustMedisablesSecTrustEvaluate­https://github.com/intrepidusgroup/trustme

AndroidApplications

Bothofthefollowingtoolsneedrooteddevicesastheymanipulatetheapplicationordevice

duringruntimetodisableCertificatePinning.

● Android­SSL­TrustKillerhooksvariousruntimemethodstobypasscertificatepinning ­https://github.com/iSECPartners/Android­SSL­TrustKiller.Note:Thisonlyworks

throughAndroid4.3,asCydiaSubstrateforAndroidhasnotbeenupdatedforsome

http://forum.xda­developers.com/xposed ● Xposedmodules:JustTrustMehttps://github.com/Fuzion24/JustTrustMeand SSLUnpinninghttps://github.com/ac­pm/SSLUnpinning_Xposed

● android­ssl­bypassusesaJDWPdebuggerusingtheJDIAPIs­

RealWorldCertificatePinningBypassExample

TofurtherdemonstratehowCertificatePinningcanbebypassed,wewillwalkthroughthe

necessarystepstobypassCertificatePinningimplementedintheofficialFacebookAndroid

application.

Theseexactstepsmaynotworkforyouifyouarefollowingthemstep­by­stepagainstthe

officialFacebookAndroidapplicationasFacebookmayhavechangedthewaythey

implementtheircertificatepinningfromthetimewhenthesestepswerefirstwritten.

However,theyshouldstillbeusefultogainanunderstandingofhowapplicationscanbe

manipulatedtobypasscertificatepinning.

ThefirststepistodownloadtheFacebookAPKfromthePlayStore.Oncedownloadedwe

willdisassembletheapplication,modifythesourcecode,reassembletheapplication,sign

theapplicationandthenfinally,installitontoadevice.

DisassemblingtheAPK

TheapktooltoolwasusedtodisassembletheAPKwiththefollowingcommand:

$apktooldcom.facebook.katana.apk­ocom.facebook.katana_disassembled

ModifytheCertificatePinninglogic

OncetheAPKhasbeendisassembledwewillneedtolocatewherewithinthesmalisource codethecertificatepinningchecksaredone.Searchingthesmalicodeforkeywordssuchas

“X509TrustManager”,“cert”,“pinning”,etc,shouldpointyouintherightdirection.

Inthiscaseasearchfor“X509TrustManager”returnedaresultwithinthe

‘smali/com/facebook/acra/util/TrustEveryoneTrustManager.smali’file.Thisfilecontains

methodsnamed“checkClientTrusted”,“checkServerTrusted”and“getAcceptedIssuers”.

The“return­void”opcodewasaddedtothefirstlineofeachofthesemethods.The

“return­void”statementisaDalvikopcodetoreturn‘void’ornull.FormoreDalvikopcodes

http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html Screenshot showing the inserted opcode. ReassemblingtheAPK

Screenshot showing the inserted opcode.

ReassemblingtheAPK

OncethechangesaremadetothemethodstheAPKwillneedtobereassembled.Todothis

thefollowingapktoolcommandwasrun:

$apktoolbcom.facebook.katana_disassembled/­oapp_modified.apk

ThisshouldcreateareassembledAPKnamed‘app_modified.apk’withthechangeswe

made.

SigningtheAPK

BeforethemodifiedAPKcanbeinstalledontoadeviceitneedstobecryptographically

signed.Tosigntheapp_modified.apkAPKfilethefollowingstepsshouldbetaken:

1. Generatetheprivatekey.

$keytool­genkey­v­keystorelmy­release­key.keystore­aliasalias_name­keyalg

RSA­keysize2048­validity10000

2.SigntheAPKusingthegeneratedprivatekey.

$jarsigner­verbose­sigalgSHA1withRSA­digestalgSHA1­keystore

my­release­key.keystoreapp_modified.apkalias_name

ThemodifiedAPKshouldnowbesignedfor10,000daysandreadytobeinstalledontothe

Androiddevice.Todothis,ensurethedevicehasUSBdebuggingenabledthenattachthe

devicetothecomputer’sUSBportandrun:

$adbinstallapp_modified.apk

AfterinstallingthemodifiedAPKitispossibletointercept(Man­in­the­Middle)theHTTPS

communications.

communications. Screenshot showing an intercepted HTTPS request.

Screenshot showing an intercepted HTTPS request.

CertificatePinningTestEnvironment(incomplete)

TODO:PubKeyPiniscurrentlynotfunctioningcorrectly.Ihave

contactedtheauthorforassistance.

YoumaywanttopracticeyourCertificatePinningidentificationandbypasstechniques

beforehavingtodoitintherealworld.Whatfollowsisaguideonhowtoidentitycertificate

pinningandbypassitwhileusingasampleAndroidapplicationcalledPubKeyPin.

ThePubKeyPinAndroidapplicationishostedonowasp.organddemonstratesCertificate

Pinninginuse.

ThePubKeyPinAndroidapplicationcanbedownloadedfrom

BuildingtheAPK

OncedownloadedyouwillneedtobuildandsigntheAPKbeforeitcanbeinstalledontoa

device.ToinstalltheAPKyouwillneedtodownloadandinstalltheAndroidSDKaswellas

ApacheAnt.

1. Createthebuild.xmlfile.Runthefollowingcommandfromwithintheunzipped

PubKeyPindirectory:

$/adt­bundle/sdk/tools/androidupdateproject­p.­npubkey­s­t1

2. CompiletheapplicationusingApacheAnt.Runthefollowingcommandfromwithin

theunzippedPubKeyPindirectory:

$antclean&&antrelease

Ifeverythingwentwell,youshouldnowhaveafilecalled‘pubkey­release­unsigned.apk’

withinthebinfolderwithintheunzippeddirectory.Asthefilenamesuggests,theAPKis

unsignedandwillneedtobesignedbeforeitcanbeinstalledontoanAndroiddevice.

SigningtheAPK

Tosignthepubkey­release­unsigned.apkAPKthefollowingstepsshouldbetaken:

2. Generatetheprivatekey.

$keytool­genkey­v­keystoremy­release­key.keystore­aliasalias_name­keyalg

RSA­keysize2048­validity10000

2.SigntheAPKusingthegeneratedprivatekey.

$jarsigner­verbose­sigalgSHA1withRSA­digestalgSHA1­keystore

my­release­key.keystore/pubkey­pin­android/bin/pubkey­release­unsigned.apk

alias_name

IfthecommandsabovedidnotworkyoumaywanttoconsulttheofficialAndroid

documentationforthemostuptodateinformationonsigningAPKs.

InstallingthesignedAPKontotheDevice

Thepubkey­release­unsigned.apkAPKshouldnowbesignedfor10,000daysandreadyto

beinstalledontotheAndroiddevice.Todothis,ensurethedevicehasUSBdebugging

enabledthenattachthedevicetothecomputer’sUSBportandrun:

$adbinstallpubkey­pin­android/bin/pubkey­release­unsigned.apk

TestCase

TestID:MSTG­31

Testname:ApplicationdoesnotuseCertificatePinning

Stepsfortest:

● Attempttointercept(MitM)HTTPStraffic.Ifunsuccessfulaftertakingthe

necessarysteps,theapplicationmaybeusingCertificatePinning.

● Disassembletheapplication.Attempttoidentifyanycertificatepinninglogic.

Attempttoremoveormanipulatethecertificatepinninglogic.Reassemblethe

applicationandattempttointerceptHTTPStrafficagain.

POC/ExampleScreenshot:

Remediation:

RefertotheOWASPPinningCheatSheet: