Hack Certificate Pinning of Android apps in 3 steps

https://en.wikipedia.org/wiki/Man-in-the-middle_attack

When you need to enforce your mobile application security, one of the most common technique is Certificate Pinning.

If you don’t know what it is, it’s a way to prevent Man-In-The-Middle attack, performing additional checks to the certificates involved in client-server communication.
It’s based on the concept that if you know the fingerprint of the server, no-one can intercept your request and act as the server.

A common Android HTTP library OkHttp let’s you configure certificate pinning in a few lines of code:

Doing this, any call to github.com API will fail if the fingerprint doesn’t match.
This is not the only library that allows you to do it, but what it’s important is the domain and the related certificate hash.

Is it a good practice? 💡

There are discording opinions about it. While so many cybersecurity companies still suggest to implement it in your application, even producing security reports mentioning the lack of certificate pinning, there are many entities and CA that discourage this practice. If you are curious about it I suggest this article: https://www.digicert.com/blog/certificate-pinning-what-is-certificate-pinning

Hack Certificate Pinning in 3+1 steps

If you want to hack your application, you’ll need only a few tools:

  • Android build-tools (If you’re an Android Developer you already have them, 100% sure)
  • ApkTool
  • Patience (if your app is not so small)

Procedure

  1. Decompile your apk

First step is to decompile your apk using apktool

$ apktool d app-release.apk

You’ll obtain a directory containing your src and res decompiled. Sources won’t be in java/kotlin but in smali language. Now comes the boring part: finding the source code containing certificate pinning code. You can help yourself looking for strings like “sha1/*” or “sha256/*”

2. Remove pinning for the desired domain

Here you have many solutions, but remember from where we started: we linked a specific fingerprint to a specific domain.

This means you can just edit the domain with another one (let’s say *.fakedomain) or replace the fingerprint with your proxy certificate.

I don’t suggest to remove the pinning because I’m not confortable on working in smali language, but you’re free to do it

3. Build and sign your modified sources

Just execute the build command from apktool

$ apktool b -o app-release-apktool.apk app-release
$ zipalign -v -p 4 app-release-apktool.apk app-release-zipalign.apk
$ apksigner sign --ks keystore.jks --out app-release-apksigner.apk app-release-zipalign.apk
#optional
$ apksigner verify app-release-apksigner.apk

3+1. Intercept

There are plenty of proxy and tools for MITM. I can suggest you:
https://www.charlesproxy.com/
https://frida.re/

This is probably the most difficult part because it changes depending on the tool you will use and the Android version used for compiling the sources. I won’t go into details but both Charles and Frida-tools have their own configurations and guides for it.

Considerations

As you can see, almost anyone can remove your certificate pinning in less than 10 minutes. Are we still sure it is a good practice? Tell me in the comments 🙌

Software Engineer, Android enthusiast. https://www.linkedin.com/in/giuseppegiacoppo/

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Solcial, appearance and promotion of the token

Automatic Jenkins setup using docker file and start a suitable language server and monitor

Distributed System: A Brief Introduction

Toko Distributor: Sebuah Catatan

🎩 How Cudos intensifies the feeble attempts of shaking the cloud market monopoly ❌ — CUDOS

How did UIKit engineers build their block-based animation APIs?

Github Commands to ease up your life

Binary Search: Practice Problems

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Giuseppe Giacoppo

Giuseppe Giacoppo

Software Engineer, Android enthusiast. https://www.linkedin.com/in/giuseppegiacoppo/

More from Medium

App links and Deep links with Android 12

A Bitmap story

Notification runtime permission-Android13

Navigating in a Fullscreen Bottom Sheet on Android