CertificatePinning

CertificatePinningisanextralayerofsecuritythatisusedbyapplicationstoensurethatthe
certificateprovidedbytheremoteserveristheonewhichisexpected.

Byincludingtheremoteserversx509certificateorpublickeywithintheapplication,itis
possibletocomparethelocallystoredcertificateorkeywiththeoneprovidedbytheremote
server.Ifstoringalocalcertificatecausestoomuchhassle,onecanuseCertificatePinners
fromclientslikeOKHTTP,inwhichcertainattributesoftheservercertificateareusedas
verifiers.

ScreenshotofFacebookappwithCertificatePinningenabled.

Ifyouhavebeenunabletointercept(ManintheMiddle)theapplicationsHTTPStraffic,
aftertakingthenecessarysteps,thisisprobablyduetotheapplicationusingCertificate
Pinning.

BypassingCertificatePinning

CertificatePinningisaclientsidesecuritymeasurethatcanbebypassedbymanipulating
theapplicationoritsenvironment.

Applicationscanbedisassembledtoremoveormanipulatethecertificatepinninglogic.It
mayalsobepossibletoswitchthecertificateembeddedwithintheapplicationwithanother.


Sometoolsexistfordifferentmobileplatformswhichcanautomaticallydisablecertificate
pinning.Thesetoolsmaynotnecessarilybekeptuptodateandyoumayneedtotrythe
manualapproachesdiscussedabove.

iOSApplications

Bothofthefollowingtoolsneedjailbrokendevicesastheymanipulatetheapplicationor
deviceduringruntimetodisableCertificatePinning.

iOSSSLKillSwitchpatcheslowlevelSSLfunctionswithintheSecureTransportAPI
https://github.com/nablac0d3/sslkillswitch2
https://github.com/iSECPartners/iossslkillswitch

iOSTrustMedisablesSecTrustEvaluatehttps://github.com/intrepidusgroup/trustme

AndroidApplications

Bothofthefollowingtoolsneedrooteddevicesastheymanipulatetheapplicationordevice
duringruntimetodisableCertificatePinning.

AndroidSSLTrustKillerhooksvariousruntimemethodstobypasscertificatepinning
https://github.com/iSECPartners/AndroidSSLTrustKiller.Note:Thisonlyworks
throughAndroid4.3,asCydiaSubstrateforAndroidhasnotbeenupdatedforsome
time.TryprojectsbasedontheXposedframework:
http://forum.xdadevelopers.com/xposed
Xposedmodules:JustTrustMeh
ttps://github.com/Fuzion24/JustTrustMeand
SSLUnpinninghttps://github.com/acpm/SSLUnpinning_Xposed

androidsslbypassusesaJDWPdebuggerusingtheJDIAPIs
https://github.com/iSECPartners/androidsslbypass

RealWorldCertificatePinningBypassExample

TofurtherdemonstratehowCertificatePinningcanbebypassed,wewillwalkthroughthe
necessarystepstobypassCertificatePinningimplementedintheofficialFacebookAndroid
application.

Theseexactstepsmaynotworkforyouifyouarefollowingthemstepbystepagainstthe
officialFacebookAndroidapplicationasFacebookmayhavechangedthewaythey
implementtheircertificatepinningfromthetimewhenthesestepswerefirstwritten.
However,theyshouldstillbeusefultogainanunderstandingofhowapplicationscanbe
manipulatedtobypasscertificatepinning.

ThefirststepistodownloadtheFacebookAPKfromthePlayStore.Oncedownloadedwe
willdisassembletheapplication,modifythesourcecode,reassembletheapplication,sign
theapplicationandthenfinally,installitontoadevice.

DisassemblingtheAPK

TheapktooltoolwasusedtodisassembletheAPKwiththefollowingcommand:

$apktooldcom.facebook.katana.apkocom.facebook.katana_disassembled

ModifytheCertificatePinninglogic

OncetheAPKhasbeendisassembledwewillneedtolocatewherewithinthesmalisource
codethecertificatepinningchecksaredone.Searchingthesmalicodeforkeywordssuchas
X509TrustManager,cert,pinning,etc,shouldpointyouintherightdirection.

InthiscaseasearchforX509TrustManagerreturnedaresultwithinthe
smali/com/facebook/acra/util/TrustEveryoneTrustManager.smalifile.Thisfilecontains
methodsnamedcheckClientTrusted,checkServerTrustedandgetAcceptedIssuers.

Thereturnvoidopcodewasaddedtothefirstlineofeachofthesemethods.The
returnvoidstatementisaDalvikopcodetoreturnvoidornull.FormoreDalvikopcodes
refertohttp://pallergabor.uw.hu/androidblog/dalvik_opcodes.html

Screenshotshowingtheinsertedopcode.

ReassemblingtheAPK

OncethechangesaremadetothemethodstheAPKwillneedtobereassembled.Todothis
thefollowingapktoolcommandwasrun:

$apktoolbcom.facebook.katana_disassembled/oapp_modified.apk

ThisshouldcreateareassembledAPKnamedapp_modified.apkwiththechangeswe
made.

SigningtheAPK

BeforethemodifiedAPKcanbeinstalledontoadeviceitneedstobecryptographically
signed.Tosigntheapp_modified.apkAPKfilethefollowingstepsshouldbetaken:


1. Generatetheprivatekey.

$keytoolgenkeyvkeystorelmyreleasekey.keystorealiasalias_namekeyalg
RSAkeysize2048validity10000

2.SigntheAPKusingthegeneratedprivatekey.

$jarsignerverbosesigalgSHA1withRSAdigestalgSHA1keystore
myreleasekey.keystorea
pp_modified.apkalias_name

ThemodifiedAPKshouldnowbesignedfor10,000daysandreadytobeinstalledontothe
Androiddevice.Todothis,ensurethedevicehasUSBdebuggingenabledthenattachthe
devicetothecomputersUSBportandrun:

$adbinstallapp_modified.apk

AfterinstallingthemodifiedAPKitispossibletointercept(ManintheMiddle)theHTTPS
communications.

ScreenshotshowinganinterceptedHTTPSrequest.

CertificatePinningTestEnvironment(incomplete)

TODO:PubKeyPiniscurrentlynotfunctioningcorrectly.Ihave
contactedtheauthorforassistance.

YoumaywanttopracticeyourCertificatePinningidentificationandbypasstechniques
beforehavingtodoitintherealworld.Whatfollowsisaguideonhowtoidentitycertificate
pinningandbypassitwhileusingasampleAndroidapplicationcalledPubKeyPin.

ThePubKeyPinAndroidapplicationishostedonowasp.organddemonstratesCertificate
Pinninginuse.

ThePubKeyPinAndroidapplicationcanbedownloadedfrom
https://www.owasp.org/images/1/1f/Pubkeypinandroid.zip

BuildingtheAPK

OncedownloadedyouwillneedtobuildandsigntheAPKbeforeitcanbeinstalledontoa
device.ToinstalltheAPKyouwillneedtodownloadandinstalltheAndroidSDKaswellas
ApacheAnt.

1. Createthebuild.xmlfile.Runthefollowingcommandfromwithintheunzipped
PubKeyPindirectory:

$/adtbundle/sdk/tools/androidupdateprojectp.npubkeyst1

2. CompiletheapplicationusingApacheAnt.Runthefollowingcommandfromwithin
theunzippedPubKeyPindirectory:

$antclean&&antrelease

Ifeverythingwentwell,youshouldnowhaveafilecalledpubkeyreleaseunsigned.apk
withinthebinfolderwithintheunzippeddirectory.Asthefilenamesuggests,theAPKis
unsignedandwillneedtobesignedbeforeitcanbeinstalledontoanAndroiddevice.

SigningtheAPK

Tosignthepubkeyreleaseunsigned.apkAPKthefollowingstepsshouldbetaken:

2. Generatetheprivatekey.

$keytoolgenkeyvkeystoremyreleasekey.keystorealiasalias_namekeyalg
RSAkeysize2048validity10000

2.SigntheAPKusingthegeneratedprivatekey.

$jarsignerverbosesigalgSHA1withRSAdigestalgSHA1keystore
myreleasekey.keystore/pubkeypinandroid/bin/pubkeyreleaseunsigned.apk
alias_name

IfthecommandsabovedidnotworkyoumaywanttoconsulttheofficialAndroid
documentationforthemostuptodateinformationonsigningAPKs.

InstallingthesignedAPKontotheDevice

Thepubkeyreleaseunsigned.apkAPKshouldnowbesignedfor10,000daysandreadyto
beinstalledontotheAndroiddevice.Todothis,ensurethedevicehasUSBdebugging
enabledthenattachthedevicetothecomputersUSBportandrun:

$adbinstallpubkeypinandroid/bin/pubkeyreleaseunsigned.apk

TestCase

TestID:MSTG31
Testname:ApplicationdoesnotuseCertificatePinning
OWASPTopTenCategory:M3:InsufficientTransportLayerProtection
Stepsfortest:

Attempttointercept(MitM)HTTPStraffic.Ifunsuccessfulaftertakingthe
necessarysteps,theapplicationmaybeusingCertificatePinning.

Disassembletheapplication.Attempttoidentifyanycertificatepinninglogic.
Attempttoremoveormanipulatethecertificatepinninglogic.Reassemblethe
applicationandattempttointerceptHTTPStrafficagain.
POC/ExampleScreenshot:
Remediation:

RefertotheOWASPPinningCheatSheet:
https://www.owasp.org/index.php/Pinning_Cheat_Sheet