Hack Certificate Pinning of Android apps in 3 steps
When you need to enforce your mobile application security, one of the most common technique is Certificate Pinning.
If you don’t know what it is, it’s a way to prevent Man-In-The-Middle attack, performing additional checks to the certificates involved in client-server communication.
It’s based on the concept that if you know the fingerprint of the server, no-one can intercept your request and act as the server.
A common Android HTTP library OkHttp let’s you configure certificate pinning in a few lines of code:
Doing this, any call to github.com API will fail if the fingerprint doesn’t match.
This is not the only library that allows you to do it, but what it’s important is the domain and the related certificate hash.
Is it a good practice? 💡
There are discording opinions about it. While so many cybersecurity companies still suggest to implement it in your application, even producing security reports mentioning the lack of certificate pinning, there are many entities and CA that discourage this practice. If you are curious about it I suggest this article: https://www.digicert.com/blog/certificate-pinning-what-is-certificate-pinning
Hack Certificate Pinning in 3+1 steps
If you want to hack your application, you’ll need only a few tools:
- Android build-tools (If you’re an Android Developer you already have them, 100% sure)
- Patience (if your app is not so small)
- Decompile your apk
First step is to decompile your apk using apktool
$ apktool d app-release.apk
You’ll obtain a directory containing your src and res decompiled. Sources won’t be in java/kotlin but in smali language. Now comes the boring part: finding the source code containing certificate pinning code. You can help yourself looking for strings like “sha1/*” or “sha256/*”
2. Remove pinning for the desired domain
Here you have many solutions, but remember from where we started: we linked a specific fingerprint to a specific domain.
This means you can just edit the domain with another one (let’s say *.fakedomain) or replace the fingerprint with your proxy certificate.
I don’t suggest to remove the pinning because I’m not confortable on working in smali language, but you’re free to do it
3. Build and sign your modified sources
Just execute the build command from apktool
$ apktool b -o app-release-apktool.apk app-release
$ zipalign -v -p 4 app-release-apktool.apk app-release-zipalign.apk
$ apksigner sign --ks keystore.jks --out app-release-apksigner.apk app-release-zipalign.apk#optional
$ apksigner verify app-release-apksigner.apk
This is probably the most difficult part because it changes depending on the tool you will use and the Android version used for compiling the sources. I won’t go into details but both Charles and Frida-tools have their own configurations and guides for it.
As you can see, almost anyone can remove your certificate pinning in less than 10 minutes. Are we still sure it is a good practice? Tell me in the comments 🙌