ANDROID PENTESTING SERIES PART 8 : SSL Pinning Bypass with Xposed Installer

SSL Pinning

SSL Pinning is the process of associating a host with its certificate or public key. In SSL pinning a predefined digital certificate or public key of a host or service is included within the app’s bundle at the time of development, and whenever app connects to the host server, it compares the server certificate with the pinned certificate or public key and if and only if they match, the apps trusts the server and establishes the connection.

SSL pinning prevents attackers from analyzing the functionality of the app and the way it communicates with the server. SSL pinning technique adds additional security layer for application traffic to validate the remote host identity and if SSL pinning is not implemented, then the application trusts custom certificate and allows proxy tools to intercept the traffic. This allows such an attacker to set up a man-in-the-middle attack and capture the transmitted data moving to and from the application.

SSL Unpinning

SSL Unpinning is a way to bypass the above restrictions to enable tester to intercept the traffic between client-n-server. There are several ways to bypass the ssl pinning applied on the application.

Bypassing SSL Pinning using Xposed Installer

1. Make sure you genymotion simulator is configured in Brigde mode also install OpenGApp by clicking OPenGApp button on side of simulator, then install google chrome (if not installed previously and setup email for app store).

2. Start Burp Suite and start listener to local port

3. Install Burp Certificate : Open http://burp and download burp suite certificate rename it to “burp.cer” and install custom certificate by going “Settings > Install Certificate” (search certificate on settings) and choose the selected and renamed burp.cer file. Also before that set the lock pincode for simulator using settings.

4. Setup Proxy on Simulator by “Settings > Wifi Setting > WiredSSID” then click on “WiredSSID” for some seconds then select “Modify network“

5. Change Proxy to manual and put your burp proxy configuration and save.

Now open google chrome and browse the internet, at this point burp proxy will intercept the chrome traffic.

6. Now download and install xposed Installer from apkmirror.com, you can install on simulator using adb command adb install xposedinstaller.apk, now run xposed Installer, give it root permission and enable it and reboot simulator.

7. Goto “menu > Download” and typs SSL on search and Install “SSLUnpinning – Certificate Pinning Bypass“, “TrustMeAlready” and “RootCloak“. To install click on app goto version then click Download and after click Install.

If it shows “need permission to install unknown apps” then goto settings and type “unknown” click on “unknown sources” and enable it.

8. Reboot the App Now go to “Xposed Installer > Modules” and enabled all three modules then reboot the simulator.

9. Open “SSLUnpinning – Certificate Pinning Bypass” app and select the which you want to unpin the app then launch the app now you have successfully done the procedure.