Android application traffic analysis: certificate pinning bypass without reverse engineering
Sometimes you need to investigate the work of the mobile app backend. Well, if the creators of the application did not bother and all requests go through the "bare" HTTP. But what if the application uses HTTPS for requests, and refuses to accept the certificate of your root certification authority, which you carefully implemented in the OS storage? Of course, you can search for requests in a decompiled application or, with the help of reverse engineering, disable encryption in general, but I would like a simpler way.
Even when using HTTPS, the user is not protected from Man-in-the-Middle attacks, because an attacker can replace the server certificate with his own when initiating a connection. Traffic will be available to the attacker.
Certificate pinning will help to cope with such an attack. This security measure is that the developer is stitching the trusted certificate into the application. When a secure connection is established, the application verifies that the certificate sent by the server matches (or signed) the certificate from the application's repository.
')
For the test, we will select the Uber application. We will use Burp Suite to analyze HTTP traffic. We also need JDK and Android SDK (I use all the latest versions). From the Android SDK, we only need the zipalign utility, so if you wish, you can not download the entire SDK, but find it on the Internet.
Make your life easier in advance by adding the following paths to the necessary utilities in the PATH environment variable:
Open the Burp, go to Proxy - Options - Add and add the Proxy Listener on the interface that will be available to the experimental Android device (or emulator). On the device, in turn, we set up the used Wi-Fi network to use the newly enabled proxy.
Download the apk-file through apkpure.com, install the application on the device and try to log in to your account - the application will freeze during the authentication phase.
In the Burp Suite logs (Alerts tab), we will see multiple reports of failed SSL handshakes. Pay attention to the first line - it is through my server cn-geo1.uber.com that in my case authentication is performed, therefore I cannot enter the application.
The fact is that when Burp Suite intercepts HTTPS connections (and we remember that all connections of the device are proxied through it), it replaces the certificate of the web server with its own one, which, of course, is not on the trusted list. To make the device trust the certificate, perform the following steps. In Burp, go to Proxy - Options and click on Import / export CA certificate. Next, in the dialog, select the Export Certificate. Copy the certificate to the device, go to Settings - Security - Install certificates and install our certificate as a certificate for VPN and applications.
Again, trying to log into your account. Now the Uber application only informs us about the failed authentication attempt - it means there is progress, it remains only to bypass certificate pinning.
Open the application in your favorite archiver as a zip archive. In the res / raw folder you can see a file with a talking name ssl_pinning_certs_bk146.bks.
By expanding it, you can see that Uber uses a keystore in the BouncyCastle (BKS) format. Because of this, you cannot simply replace the certificate in the application. First you need to generate BKS-storage. To do this, download the jar to work with BKS.
Now we generate the BKS storage, which will contain our certificate:
To the question about trusting a certificate, we answer “yes”. Again, open apk in the archiver and replace the original repository with ours (while maintaining the original name).
But this does not end there. Each apk must be signed by a developer certificate. Fortunately, this is not done to ensure security, but to identify applications, so for our research purposes, we can well use the untrusted certificate.
We delete the META-INF folder from the apk with the old application signature and proceed to generating the new one.
Create a keystore and generate the key for signing apk in it:
We sign our APK with the key just generated:
Now it remains to align the data in the archive on a four-byte boundary:
Done, delete the old application from the device, install the new one and try to log into your account. If earlier the application's attempt to contact cn-geo1.uber.com was interrupted by a handshake, you can now view and, if desired, modify the traffic.
Thanks for attention!
What is certificate pinning?
Even when using HTTPS, the user is not protected from Man-in-the-Middle attacks, because an attacker can replace the server certificate with his own when initiating a connection. Traffic will be available to the attacker.
Certificate pinning will help to cope with such an attack. This security measure is that the developer is stitching the trusted certificate into the application. When a secure connection is established, the application verifies that the certificate sent by the server matches (or signed) the certificate from the application's repository.
')
Bypass certificate pinning
For the test, we will select the Uber application. We will use Burp Suite to analyze HTTP traffic. We also need JDK and Android SDK (I use all the latest versions). From the Android SDK, we only need the zipalign utility, so if you wish, you can not download the entire SDK, but find it on the Internet.
Make your life easier in advance by adding the following paths to the necessary utilities in the PATH environment variable:
C:\path\to\jdk\bin %USERPROFILE%\AppData\Local\Android\sdk\build-tools\23.0.2 Open the Burp, go to Proxy - Options - Add and add the Proxy Listener on the interface that will be available to the experimental Android device (or emulator). On the device, in turn, we set up the used Wi-Fi network to use the newly enabled proxy.
Download the apk-file through apkpure.com, install the application on the device and try to log in to your account - the application will freeze during the authentication phase.
In the Burp Suite logs (Alerts tab), we will see multiple reports of failed SSL handshakes. Pay attention to the first line - it is through my server cn-geo1.uber.com that in my case authentication is performed, therefore I cannot enter the application.
The fact is that when Burp Suite intercepts HTTPS connections (and we remember that all connections of the device are proxied through it), it replaces the certificate of the web server with its own one, which, of course, is not on the trusted list. To make the device trust the certificate, perform the following steps. In Burp, go to Proxy - Options and click on Import / export CA certificate. Next, in the dialog, select the Export Certificate. Copy the certificate to the device, go to Settings - Security - Install certificates and install our certificate as a certificate for VPN and applications.
Again, trying to log into your account. Now the Uber application only informs us about the failed authentication attempt - it means there is progress, it remains only to bypass certificate pinning.
Open the application in your favorite archiver as a zip archive. In the res / raw folder you can see a file with a talking name ssl_pinning_certs_bk146.bks.
By expanding it, you can see that Uber uses a keystore in the BouncyCastle (BKS) format. Because of this, you cannot simply replace the certificate in the application. First you need to generate BKS-storage. To do this, download the jar to work with BKS.
Now we generate the BKS storage, which will contain our certificate:
keytool -import -v -trustcacerts -alias mybks -file c:/path/to/burp.crt -keystore ssl_pinning_certs_bk146.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath c:/path/to/bcprov-jdk15on-154.jar -storepass spassword To the question about trusting a certificate, we answer “yes”. Again, open apk in the archiver and replace the original repository with ours (while maintaining the original name).
But this does not end there. Each apk must be signed by a developer certificate. Fortunately, this is not done to ensure security, but to identify applications, so for our research purposes, we can well use the untrusted certificate.
We delete the META-INF folder from the apk with the old application signature and proceed to generating the new one.
Create a keystore and generate the key for signing apk in it:
keytool -genkey -keystore mykeys.keystore -storepass spassword -alias mykey1 -keypass kpassword1 -dname "CN=ololo O=HackAndroid C=RU" -validity 10000 -sigalg MD5withRSA -keyalg RSA -keysize 1024 We sign our APK with the key just generated:
jarsigner -sigalg MD5withRSA -digestalg SHA1 -keystore mykeys.keystore -storepass spassword -keypass kpassword1 Uber.apk mykey1 Now it remains to align the data in the archive on a four-byte boundary:
zipalign -f 4 Uber.apk Uber.apk_zipal.apk Done, delete the old application from the device, install the new one and try to log into your account. If earlier the application's attempt to contact cn-geo1.uber.com was interrupted by a handshake, you can now view and, if desired, modify the traffic.
Thanks for attention!
Source: https://habr.com/ru/post/307774/
All Articles