内容简介:Yesterday, I was analyzing an Android application which uses OkHttp for certificate pinning. It took me hours to analyze the app, and have tried different methods to circumvent the app’s certificate pinning implementation. If I had only been monitoring the
Yesterday, I was analyzing an Android application which uses OkHttp for certificate pinning. It took me hours to analyze the app, and have tried different methods to circumvent the app’s certificate pinning implementation. If I had only been monitoring the system log while running the app, I could have done it in just a matter of minutes. I might have wasted a lot of time and effort, but at least I’ve learned.
Here’s my write up on how I bypassed OkHttp’s Certificate Pinning implementation.
Attempt #1: Using Xposed Modules
Since I had Xposed running on my test device, I first used the modules SSLUnpinning and TrustMeAlready . I know these modules are outdated, but it might still work. Unfortunately, it didn’t work on the app that I’m testing.
Attempt #2: Using Frida Scripts
My second attempt involved the use of Frida. After setting it up on my test device, I immediately tried the “most popular” Frida script on CodeShare which is the Universal Android SSL Pinning Bypass script. But what I got was just an error.
I tried another script but no luck as well. It did not even successfully detect the certificate pinning implementation used by the app.
I ended up trying all Frida scripts from CodeShare related to certificate pinning bypass but none of them worked.
Attempt #3: Via Manual Modification
I decided to look at the system log to see what’s happening in the background when the app is running. From the app’s log, I found the following certificate fingerprints (highlighted in green) .
Basically, the app checks for these fingerprints. If the fingerprint from the certificate chain matches one of the pinned fingerprints, then the peer’s identity has been verified and SSL pinning can be bypassed.
Before I could inject Burp’s certificate fingerprint, I first decompiled the app and look for the file where these pinned certificates were located. From the output below, the pinned fingerprints were located in /res/values/arrays.xml .
I then injected Burp’s certificate fingerprint to the list inside /res/values/arrays.xml .
Lastly, I recompiled the app and installed it.
That’s it! I was able to bypass the app’s certificate pinning mechanism.
Lesson Learned:Always keep an eye on the system log while running the target application.
以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持 码农网
猜你喜欢:
本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。
REST实战
Jim Webber、Savas Parastatidis、Ian Robinson / 李锟、俞黎敏、马钧、崔毅 / 东南大学出版社 / 2011-10 / 78.00元
为何典型的企业项目无法像你为web所开发的项目那样运行得如此平滑?对于建造分布式和企业级的应用来说,rest架构风格真的提供了一个可行的替代选择吗? 在这本富有洞察力的书中,三位soa专家对于rest进行了讲求实际的解释,并且通过将web的指导原理应用到普通的企业计算问题中,向你展示了如何开发简单的、优雅的分布式超媒体系统。你将会学习到很多技术,并且随着一家典型的公司从最初的小企业逐渐成长为......一起来看看 《REST实战》 这本书的介绍吧!
