Android SSL pinning bypass with Frida

WHAT IS CERTIFICATE PINNING?

Certificate pinning is the process of associating a host with their expected X.509 certificate or public key. Once a certificate or public key is known or seen by a host, the certificate or public key is associated or ‘pinned’ to the host.

A host or service’s certificate or public key can be added to an application at development time, or it can be added upon first encountering the certificate or public key. The former – adding at development time – is preferred since preloading the certificate or public key out of the band usually means the attacker cannot taint the pin. If the certificate or public key is added upon the first encounter, this is known as key continuity. Key continuity can fail if the attacker has a privileged position during the first encounter.

Pinning leverages knowledge of the pre-existing relationship between the user and an organization or service to help make better security-related decisions. Because the application already has information on the server or service, it does not need to rely on generalized mechanisms meant to solve the key distribution problem. That is, it does not need to turn to DNS for name/address mappings or trusted CAs for bindings and status. No key distribution problems when there is no key distribution!

WHY SHOULD YOU ALWAYS PIN?

Mobile applications should utilize either a certificate or public key pinning in order to ensure that communications are secure. This is usually implemented when the developer of the application needs to validate the remote host’s identity or when operating in a hostile environment. Since one or both of these are almost always true, it is recommended that the majority of applications implement pinning.

OWASP’s page on Certificate and Public Key Pinning[1] reads:

“You should pin anytime you want to be relatively certain of the remote host’s identity or when operating in a hostile environment. Since one or both are almost always true, you should probably pin all the time.”

– https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning

WHERE TO PIN?

Leaf certificate

Guarantees with close to 100% certainty that this is your certificate
- even if Root CA was compromised
If the certificate becomes invalid for some reason (either normal expiration or compromise) the app will be bricked until you can push an update out
Allows self-signed certificates – which can be a good thing from an ease of maintenance perspective

Root certificate

By pinning against the root certificate you are trusting the root certificate authority as well as any intermediaries they trust not to mis-issue certificates
If CA gets compromised it’s game over
Very important to maintain strong certificate validation
- Pinning is not an excuse for bad certificate validation!

Intermediate certificate:

By pinning against an intermediate certificate you are trusting that the intermediate certificate authority to not mis-issue a certificate for your server(s)
As long as you stick to the same certificate provider then any changes to your leaf certificates will work without having to update your app

WHAT TO PIN?

Certificate

Normally the certificate is easiest to pin
At runtime, you retrieve the website or server’s certificate
You compare the retrieved certificate with the certificate embedded within the application
If the site/service rotates its certificate on a regular basis, then your application would need to be updated regularly

Public key

More flexible
A little trickier due to the extra steps necessary to extract the public key from a certificate
- It’s harder to work with keys since you must extract the key from the certificate – can be somewhat of a pain in Cocoa/CocoaTouch and OpenSSL.
As with a certificate, the program checks the extracted public key with its embedded copy of the public key

Hash

Allows you to anonymize a certificate or public key
- this might be important if your application is concerned about leaking information during decompilation and reverse engineering
A digested certificate fingerprint is often available as a native API for many libraries, so its convenient to use
An organization might want to supply a reserve identity in case the primary identity is compromised

As these examples show, there are different implications that should be considered when implementing certificate pinning

How to pentest ???

1. Download and install the device on genymotion / physical device/android studio emulator

2. Install Frida and objection tools

python -m pip install Fridapython -m pip install frida-toolspython -m pip install objection or pip install Fridapip install frida-toolspip install objection

3. Download ADB platform toolsor Setup ADB in the distro

4. Download Frida injection script

https://codeshare.frida.re/@pcipolloni/universal-android-ssl-pinning-bypass-with-frida/

https://codeshare.frida.re/@sowdust/universal-android-ssl-pinning-bypass-2/

5. Connect thedevice to Adb

//adb connect <ip of device:port>

6.Download frida server for supported Android device’s Arch version
7. To find out the arch version of thedevice

adb shell getprop ro.product.cpu.abi

8. Install the target application on the device.
9. Push Frida-server into the device:

//adb push <path of frida-server folder><space></data/local/tmp>note :- make sure you extract it in your local pentest box first. link - https://github.com/frida/frida/releases/tag/12.4.7Use these files as per your architecture :-frida-server-12.4.7-linux-x86_64.xzfrida-server-12.4.7-macos-x86_64.xz

10. Give permissions to frida-server:

adb shell chmod 777 /data/local/tmp/frida-server

11. Setup burp suite
12. Pushing the proxy’s CA Certificate

// adb push <path to cacert.der> /data/local/tmp/cert-der.crt

13. Push fridascript.js into the device:

//adb push <path to fridascript.js folder> /data/local/tmp

14. Check and run frida server on the device

adb shell /data/local/tmp/frida-server &

15. List all running processes on the device:

frida-ps -U

16. Locate your application’s package name
17. Hook fridascript.js into the target application

//frida -U -f <your_application_package_name> -l <path_to_fridascript.js_on_your_computer> --no-paus

18. Intercept traffic in BurpSuite.

Issues Troubleshooting:

1. ADB Deamon failed to connect

If you are getting an error like this:

adb devices
adb server is out of date. killing...
cannot bind 'tcp:5037'
ADB server didn't ACK
*failed to start daemon*
error:

i. Open environment System properties>>Advanced>>Environment Variables
ii. Click on the path and delete the entry of C:/Android or path where ADB tools are pointed
iii. Copy all platform tools into genymotion>>tools folder
iv. Create a new path and add a path of genymotion>>tools folder.

2. frida/ pip is not recognized as an internal or external command
i. Open environment System properties>>Advanced>>Environment Variables
ii. Create new path and add path of Python>>script folder

3. Arm translation error while installing application into device.

i. Download arm translation file from here
https://androidfilehost.com/?fid=23252070760974384

ii. Drag and drop the file into the device emulator or flash this file from recovery if you are using a physical device
iii. Restart the device and you will be able to drag and drop in the target application

4. Failed to spawn: the ‘argv’ option is not supported when spawning Android apps

Check your fridascript.js path on your computer. The path may be incorrect. You have to give the absolute path of fridascript.js file. Absolute path?

5. Started frida server but not able to list services

Disconnect and re-connect wifi in the device.

One thought on “Android SSL pinning bypass with Frida”

oshinsays:
19th September 2021 at 1:42 pm
4. Failed to spawn: the ‘argv’ option is not supported when spawning Android apps
getting error here
Reply