disable certificate pinning in Android apps

Have you been in the situation where you start an app and want to intercept network traffic because you are curious what messages are exchanged between the client and the API? So you spin up mitmproxy, charlesproxy, burpsuit or whatever and you see.. nothing?? Hmm, that might be because certificate pinning implemented in the client. Luckily there are some methods to bypass that. One method, that sometimes works for Android apps is to patch the app.

get it

My preferred way to get an APK from an Android device (for reverse engineering purposes etc) is this helpful bash script. No root required, adb installed, phone in developer mode.

appname=targetapp;
i=$(adb shell pm list packages | awk -F':' '{print $2}' | grep $appname);
adb pull "$(adb shell pm path $i | awk -F':' '{print $2}')";
mv base.apk $i.apk 2&> /dev/null;

decompile it

This steps generates smali code. Smali is an assembler for Dalvik Virtual Machine bytecode; The assembled dex (Dalvik executable) bytecode can be decompiled into smali code. That’s what we are doing now.

apktool d targetapp.apk

There is an interesting thread on smali on the xda-developer forum.

EDIT 1: For those who are interested, checkout the Dalvik bytecode reference: https://source.android.com/devices/tech/dalvik/dalvik-bytecode

patch it

Ok, now that we have the smali code, we can start browsing where the app checks the x.509 certificate. “checkClientTrusted” and “checkServerTrusted” are really good candidates. We patch those two functions to return before the actual check executes by adding “return-void” (line 453 and 467)

 

compile it

apktool b targetapp -o modfied_targetapp.apk

sign it

First, we generate a key and then we use jarsigner to sign the apk

keytool -genkey -v -keystore my-release-key.keystore -alias somealias -keyalg RSA -keysize 2048 -validity 10000

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore modified_targetapp.apk somealias

install it

adb install modified_targetapp.apk

 

If the app doesn’t crash ;-), you should be able to analyze the network traffic now. There are other methods available too. Take a look at FRIDA

Leave a Reply

Your email address will not be published.