SSL Pinning refers to the fact that for Android apps with Target SDK Version > 23, the App defaults to trusting the root certificate of the system or the certificate specified in the App rather than the third party certificates added by users. This will cause Charles to fail to capture HTTPS packets when doing reverse analysis of the App (as shown in the picture) :
There are two common ways to bypass SSL tunneling:
- Repackage APK, modify the configuration of AndroidManifest: Advantages are that a repackage is always valid, there is no need to repeatedly build the environment when capturing packages on other phones/computers, and the phone does not need to have root permission. The disadvantage is that the APK signature is changed after repackaging, which is easy to detect and may require further bypass of signature verification.
- Injection + hook is used to bypass certificate verification on client. Common native injection frameworks Xposed, Frida, and Objection have related tools. Advantages and disadvantages are just the opposite of repackaging.
Heavy package
Repackaging is a common and practical way to bypass SSL tunneling. Since APK target SDK version <= 23, the default is to trust third-party certificates added by the user, So our goal is to change the target SDK version in AndroidManifest to 23 (APK is currently set to 29).
1. Use apkTool to repackage packages
- Step 1: Unpack. Since we only need to modify the configuration of AndroidManifest, we don’t need decode Source, only decode Resource, so the command used is:
apktool d -s origin.apk - Step 2: Modify the targetSdkVersion in AndroidManifest
- Step 3: Repack. The command
apktool b <decode output directory>
In the experiment of an App, the following error occurred in the third step of repackaging. Apktool compiling resource files is a problem, and no solution can be found.
2. Only decode AndroidManifest
Since recompiling resources will fail, can we decode AndroidManifest instead of deocde resource files? However, apktool does not currently support this feature either. The official answer (github.com/iBotPeaches… AndroidManifest also relies on other resources (strings, drawable, etc.), and the effort of decode AndroidManifest alone would be huge.
Modify the binary of AndroidManifest directly
Since we only need to make minor changes to AndroidManifest, since we can’t decode resource files, we can change the binary of AndroidManifest directly. The command for unpacking packets is changed to apktool d -r -s origine.apk. Then refer to this blog post (juejin.cn/post/684490… The binary format of the AndroidManifest file can be easily modified with the 010 Editor AndroidManifest template. After the modification, run the apktool B command to re-package, and then use apkSigner to re-sign the APK. Apksigner sign –ks spykey.keystore –out sign. apk –ks-pass pass:spykey –ks-key-alias spykey –key-pass Pass: Spykey –v2-signing-enabled true people.apk. The spykey.keystore can be generated in AndroidStudio or other tools.
After installing the repackaged APK, APK opened normally, but after clicking agree to the terms of use, the APP crashed. There is no obvious reason for the error in logcat, but we can probably guess that APK signature verification has been done in APP. Since logcat has no obvious clues, bypassing signature verification may require considerable effort. Therefore, I decided to give up the repackaging method.
Injection + Hook
If the App runs properly on the x86 emulator of Android 11, it has a good root environment and is very convenient to do Injection and Hook. Here we have a ready-made SSL Pinning Bypassing framework: github.com/sensepost/o… . Specific principle and operation steps can refer to this blog post: www.hackingarticles.in/android-hoo…
Here are the steps:
- Pip3 Install Files for future reference on Mac
- Step 2: Download Frida Server for Android and push it to your phone
/data/local/tmpRun frida Server as root. The download address isGithub.com/frida/frida…Frida-server-14.2.13-android-x86. xz (frida-server-14.2.13-android-x86.xz)Github.com/frida/frida…). Commands to be executed on the MacThe adb push frida - server - 14.2.13 - android x86 / data/local/TMP. After entering ADB shell and entering SU on the mobile terminal, you need to execute the following commands:Chmod 0755 /data/local/ TMP /frida-server-14.2.13-android-x86 && /data/local/ TMP /frida-server-14.2.13-android-x86 chmod 0755 /data/local/ TMP /frida-server-14.2.13-android-x86 - Step 3: Launch the App
- Step 4: Inject App process, execute command on Mac:
objection -g <app package name> - Step 5: Enter a shell for obedience after step 4
android sslpinning disableJust make SSL Pinning for Disable APP.
After the above steps are completed, then use Charles to successfully capture HTTPS packets:
