Академический Документы
Профессиональный Документы
Культура Документы
CertificatePinningisanextralayerofsecuritythatisusedbyapplicationstoensurethatthe
certificateprovidedbytheremoteserveristheonewhichisexpected.
Byincludingtheremoteserversx509certificateorpublickeywithintheapplication,itis
possibletocomparethelocallystoredcertificateorkeywiththeoneprovidedbytheremote
server.Ifstoringalocalcertificatecausestoomuchhassle,onecanuseCertificatePinners
fromclientslikeOKHTTP,inwhichcertainattributesoftheservercertificateareusedas
verifiers.
ScreenshotofFacebookappwithCertificatePinningenabled.
Ifyouhavebeenunabletointercept(ManintheMiddle)theapplicationsHTTPStraffic,
aftertakingthenecessarysteps,thisisprobablyduetotheapplicationusingCertificate
Pinning.
BypassingCertificatePinning
CertificatePinningisaclientsidesecuritymeasurethatcanbebypassedbymanipulating
theapplicationoritsenvironment.
Applicationscanbedisassembledtoremoveormanipulatethecertificatepinninglogic.It
mayalsobepossibletoswitchthecertificateembeddedwithintheapplicationwithanother.
Sometoolsexistfordifferentmobileplatformswhichcanautomaticallydisablecertificate
pinning.Thesetoolsmaynotnecessarilybekeptuptodateandyoumayneedtotrythe
manualapproachesdiscussedabove.
iOSApplications
Bothofthefollowingtoolsneedjailbrokendevicesastheymanipulatetheapplicationor
deviceduringruntimetodisableCertificatePinning.
iOSSSLKillSwitchpatcheslowlevelSSLfunctionswithintheSecureTransportAPI
https://github.com/nablac0d3/sslkillswitch2
https://github.com/iSECPartners/iossslkillswitch
iOSTrustMedisablesSecTrustEvaluatehttps://github.com/intrepidusgroup/trustme
AndroidApplications
Bothofthefollowingtoolsneedrooteddevicesastheymanipulatetheapplicationordevice
duringruntimetodisableCertificatePinning.
AndroidSSLTrustKillerhooksvariousruntimemethodstobypasscertificatepinning
https://github.com/iSECPartners/AndroidSSLTrustKiller.Note:Thisonlyworks
throughAndroid4.3,asCydiaSubstrateforAndroidhasnotbeenupdatedforsome
time.TryprojectsbasedontheXposedframework:
http://forum.xdadevelopers.com/xposed
Xposedmodules:JustTrustMeh
ttps://github.com/Fuzion24/JustTrustMeand
SSLUnpinninghttps://github.com/acpm/SSLUnpinning_Xposed
androidsslbypassusesaJDWPdebuggerusingtheJDIAPIs
https://github.com/iSECPartners/androidsslbypass
RealWorldCertificatePinningBypassExample
TofurtherdemonstratehowCertificatePinningcanbebypassed,wewillwalkthroughthe
necessarystepstobypassCertificatePinningimplementedintheofficialFacebookAndroid
application.
Theseexactstepsmaynotworkforyouifyouarefollowingthemstepbystepagainstthe
officialFacebookAndroidapplicationasFacebookmayhavechangedthewaythey
implementtheircertificatepinningfromthetimewhenthesestepswerefirstwritten.
However,theyshouldstillbeusefultogainanunderstandingofhowapplicationscanbe
manipulatedtobypasscertificatepinning.
ThefirststepistodownloadtheFacebookAPKfromthePlayStore.Oncedownloadedwe
willdisassembletheapplication,modifythesourcecode,reassembletheapplication,sign
theapplicationandthenfinally,installitontoadevice.
DisassemblingtheAPK
TheapktooltoolwasusedtodisassembletheAPKwiththefollowingcommand:
$apktooldcom.facebook.katana.apkocom.facebook.katana_disassembled
ModifytheCertificatePinninglogic
OncetheAPKhasbeendisassembledwewillneedtolocatewherewithinthesmalisource
codethecertificatepinningchecksaredone.Searchingthesmalicodeforkeywordssuchas
X509TrustManager,cert,pinning,etc,shouldpointyouintherightdirection.
InthiscaseasearchforX509TrustManagerreturnedaresultwithinthe
smali/com/facebook/acra/util/TrustEveryoneTrustManager.smalifile.Thisfilecontains
methodsnamedcheckClientTrusted,checkServerTrustedandgetAcceptedIssuers.
Thereturnvoidopcodewasaddedtothefirstlineofeachofthesemethods.The
returnvoidstatementisaDalvikopcodetoreturnvoidornull.FormoreDalvikopcodes
refertohttp://pallergabor.uw.hu/androidblog/dalvik_opcodes.html
Screenshotshowingtheinsertedopcode.
ReassemblingtheAPK
OncethechangesaremadetothemethodstheAPKwillneedtobereassembled.Todothis
thefollowingapktoolcommandwasrun:
$apktoolbcom.facebook.katana_disassembled/oapp_modified.apk
ThisshouldcreateareassembledAPKnamedapp_modified.apkwiththechangeswe
made.
SigningtheAPK
BeforethemodifiedAPKcanbeinstalledontoadeviceitneedstobecryptographically
signed.Tosigntheapp_modified.apkAPKfilethefollowingstepsshouldbetaken:
1. Generatetheprivatekey.
$keytoolgenkeyvkeystorelmyreleasekey.keystorealiasalias_namekeyalg
RSAkeysize2048validity10000
2.SigntheAPKusingthegeneratedprivatekey.
$jarsignerverbosesigalgSHA1withRSAdigestalgSHA1keystore
myreleasekey.keystorea
pp_modified.apkalias_name
ThemodifiedAPKshouldnowbesignedfor10,000daysandreadytobeinstalledontothe
Androiddevice.Todothis,ensurethedevicehasUSBdebuggingenabledthenattachthe
devicetothecomputersUSBportandrun:
$adbinstallapp_modified.apk
AfterinstallingthemodifiedAPKitispossibletointercept(ManintheMiddle)theHTTPS
communications.
ScreenshotshowinganinterceptedHTTPSrequest.
CertificatePinningTestEnvironment(incomplete)
TODO:PubKeyPiniscurrentlynotfunctioningcorrectly.Ihave
contactedtheauthorforassistance.
YoumaywanttopracticeyourCertificatePinningidentificationandbypasstechniques
beforehavingtodoitintherealworld.Whatfollowsisaguideonhowtoidentitycertificate
pinningandbypassitwhileusingasampleAndroidapplicationcalledPubKeyPin.
ThePubKeyPinAndroidapplicationishostedonowasp.organddemonstratesCertificate
Pinninginuse.
ThePubKeyPinAndroidapplicationcanbedownloadedfrom
https://www.owasp.org/images/1/1f/Pubkeypinandroid.zip
BuildingtheAPK
OncedownloadedyouwillneedtobuildandsigntheAPKbeforeitcanbeinstalledontoa
device.ToinstalltheAPKyouwillneedtodownloadandinstalltheAndroidSDKaswellas
ApacheAnt.
1. Createthebuild.xmlfile.Runthefollowingcommandfromwithintheunzipped
PubKeyPindirectory:
$/adtbundle/sdk/tools/androidupdateprojectp.npubkeyst1
2. CompiletheapplicationusingApacheAnt.Runthefollowingcommandfromwithin
theunzippedPubKeyPindirectory:
$antclean&&antrelease
Ifeverythingwentwell,youshouldnowhaveafilecalledpubkeyreleaseunsigned.apk
withinthebinfolderwithintheunzippeddirectory.Asthefilenamesuggests,theAPKis
unsignedandwillneedtobesignedbeforeitcanbeinstalledontoanAndroiddevice.
SigningtheAPK
Tosignthepubkeyreleaseunsigned.apkAPKthefollowingstepsshouldbetaken:
2. Generatetheprivatekey.
$keytoolgenkeyvkeystoremyreleasekey.keystorealiasalias_namekeyalg
RSAkeysize2048validity10000
2.SigntheAPKusingthegeneratedprivatekey.
$jarsignerverbosesigalgSHA1withRSAdigestalgSHA1keystore
myreleasekey.keystore/pubkeypinandroid/bin/pubkeyreleaseunsigned.apk
alias_name
IfthecommandsabovedidnotworkyoumaywanttoconsulttheofficialAndroid
documentationforthemostuptodateinformationonsigningAPKs.
InstallingthesignedAPKontotheDevice
Thepubkeyreleaseunsigned.apkAPKshouldnowbesignedfor10,000daysandreadyto
beinstalledontotheAndroiddevice.Todothis,ensurethedevicehasUSBdebugging
enabledthenattachthedevicetothecomputersUSBportandrun:
$adbinstallpubkeypinandroid/bin/pubkeyreleaseunsigned.apk
TestCase
TestID:MSTG31
Testname:ApplicationdoesnotuseCertificatePinning
OWASPTopTenCategory:M3:InsufficientTransportLayerProtection
Stepsfortest:
Attempttointercept(MitM)HTTPStraffic.Ifunsuccessfulaftertakingthe
necessarysteps,theapplicationmaybeusingCertificatePinning.
Disassembletheapplication.Attempttoidentifyanycertificatepinninglogic.
Attempttoremoveormanipulatethecertificatepinninglogic.Reassemblethe
applicationandattempttointerceptHTTPStrafficagain.
POC/ExampleScreenshot:
Remediation:
RefertotheOWASPPinningCheatSheet:
https://www.owasp.org/index.php/Pinning_Cheat_Sheet