I have an android application which using SSL in Api calls. I found some solutions to reveal transactions such as SSL Unpinning:
https://github.com/ac-pm/SSLUnpinning_Xposed
and
https://www.roe.ch/SSLsplit
and
https://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/DecryptHTTPS
I need a secure method to keep my application safe.
I think this is a critical problem for our applications not users!
Related
There are so many articles about circumventing SSL Pinning in Android by using CertificatePinner class in OkHttp3.
https://medium.com/#hojat.sajadinia/bypass-okhttp-certificatepinner-on-android-9a45ad80a58b
https://blog.nviso.eu/2019/04/02/circumventing-ssl-pinning-in-obfuscated-apps-with-okhttp/?fbclid=IwAR3QRvecJl6rlmpN_fpbBGgY2Bvrax3eo-Y7qOf7StYW7_aGsuaIdrr_pQs
https://joncooperworks.medium.com/disabling-okhttps-ssl-pinning-on-android-bd116aa74e05
So my question is, what i should do in preventing bypass SSLPinning by using OkHttp.CertificatePinner ?
What i tried is to obfuscate OkHttp in my project. The OkHttp3 class not found when we reverse the APK file by using ApkTools, but when i use jadx to reverse the APK file, the OkHttp3 doesn't get obfuscated in dex file.
You can probably investigate device attestation to confirm the right app binary is running on a non rooted mobile. https://developer.android.com/training/safetynet/attestation
The SafetyNet Attestation API is an anti-abuse API that allows app developers to assess the Android device their app is running on. The API should be used as a part of your abuse detection system to help determine whether your servers are interacting with your genuine app running on a genuine Android device.
But I'm not qualified to provide expert advice on this topic.
Finally i had to override mapping.txt manually since proguard rules doesn't works on OkHttp3. Hopefully after i overrode the class name, method name and object name of OkHttp3 would able to prevent man-in-the-middle attackers to bypass certificate pinning by using Okhttp3.CertificatePinner.java
I know this question is very similar to this one: Using Charles proxy to decrypt googleapis.com,
but it is very old and I think google changed some stuff about their APIs.
I'm using Charles to inspect HTTP requests from an android app (which is not mine).
This app uses SSL pinning, so I bypassed it with this tutorial:
https://lucy-janewalsh.com/blog/2019/10/29/unpinning-an-app
This works perfectly for every domain, except firestore.googleapis.com.
Charles gives me this error:
No request was made. Possibly the SSL certificate was rejected.
Do you know if this is possible to inspect requests made to this address?
Thanks
That tutorial only disables SSLPinning by the conscrypt library and only if the app that uses this library has not been obfuscated. If the app is obfuscated the class can not be found and the pinning will remain active. Also keep in mind that conscrypt is based on my experience not very often used by Android apps. Other libraries that provide SSLPinning like OKHttp are way more often used (e.g. covered by this Frida snippet.
In your case everything depends on the app you try to intercept the traffic of. Decompile it e.g. using Jadx or your favorite app decompiler and try to identify the used library/method for SSL pinning. If the app is obfuscated (class names changed) then most likly you have to write your own frida code to disable pinning (or at least adapt the class names form an existing frida code snippet that performs unpinning for the SSL-library used in your app).
I am creating a small demo app to implement ssl certificate pinning in android webview. I have generated the certificates of the host.
Can anyone suggest me how to pin the certificates in the application code.
I have searched many links but I am still stuck.
WebViews are tricky, not least because there is no perfect way to implement pinning in them except with Android N using Network Security Configuration.
The best you can do is override shouldInterceptRequest and implement the network calls yourself using one of the methods described in Android Security: SSL Pinning, however this only intercepts GET requests so if your WebViews use POST requests then you are out of luck. Android-SSL-Pinning-WebViews shows an example of doing this.
I will start with a very very short introduction on OS certificate pinning for Android. Starting with version 4.2 of Android system/OS level SSL/TLS certificate pinning was introduced (see also this URL for more info.). The list of pinned certificates using this mechanism is located at: "/data/misc/keychain/pins" and contains by default around 40 entries for Google services like mail.google.com, youtube.com, etc. I would very much like to have my own certificate pinned by having it added to this list. However, modifying this list requires an Android permission (android.permission.WRITE_SECURE_SETTINGS) that's only available to system apps.
Doe anyone know if there might by some kind procedure in place at Google to submit a request to be added to this list (i.e. /data/misc/keychain/pins)?
WebViews are tricky, not least because there is no perfect way to implement pinning in them except with Android N using Network Security Configuration.
The best you can do is override shouldInterceptRequest and implement the network calls yourself using one of the methods described in Android Security: SSL Pinning, however this only intercepts GET requests so if your WebViews use POST requests then you are out of luck. Android-SSL-Pinning-WebViews shows an example of doing this.
The challenge I have is to convert an android app that uses HTTP connection to HTTPS connection without rewriting the code?
What are the options available to achieve the above challenge on a device without a root access?
Any solution that relies on server-side redirections (from HTTP to HTTPS) will be vulnerable to MITM attacks (see this answer).
If the addresses in this app are configurable, just change them to use your HTTPS URLs.
Otherwise, you can of course use a server-side redirection to mitigate the risk slightly, but that won't prevent downgrade MITM attacks (which can happen, perhaps more so when using a mobile device).
If it's always connecting to a known endpoint that's under your control, you could implement something at the target server end of things to redirect, perhaps something like mod_rewrite if it's an Apache server.
There's no much to be rewritten. You basically change your http:// links to https:// and that's shall be it. Some problems may appear when endpoint's certificate is self signed or signed by some less popular CA, but you can easily replace your HttpClient with this one, add issuer's CA to your app and be done with one screen of code basically.
If app is not yours and you got no code, then you could try to tunnel it, by making it accessing the net via your access point which would transparently re-route the packets via ssh tunnel or VPN or whatever else.
If app is not yours but you can have code - that's IMHO best way to go.