[null] SSL Pinning implemented or not ?
2,517 views
Skip to first unread message
Hemang Sandhu
Nov 26, 2016, 1:35:00 AM11/26/16
to null
Hi,
Is there any document or steps to confirm whether Android mobile application having SSL pinning or not ?
Things I know :-
So How to verify or confirm application having SSL Pinning or not and my above 2 case is correct ?
Regards,
Hemang
Is there any document or steps to confirm whether Android mobile application having SSL pinning or not ?
Things I know :-
- CASE 1:- If you are able to intercept only first request and not other, then you can say there is SSL Pinning in the .apk
- CASE 2:- If code is not obfuscated then check for “X509TrustManager" OR “checkClientTrusted” OR “checkServerTrusted” ==> In this case many a times I have observed that I am able to find the above keyword in the code thought there is no SSL Pinning.
So How to verify or confirm application having SSL Pinning or not and my above 2 case is correct ?
Regards,
Hemang
Chetan Gulhane
Nov 28, 2016, 2:40:43 PM11/28/16
to null-...@googlegroups.com
Hi Hemang,
Certificate Pinning is a client-side security measure that can be
bypassed by manipulating the application or its environment.
Applications can be disassembled to remove or manipulate the
certificate pinning logic. It may also be possible to switch the
certificate embedded within the application with another.
Some tools exist for different mobile platforms which can
automatically disable certificate pinning.
For iOS Applications
Both of the following tools need jailbroken / rooted devices as they
manipulate the application or device during runtime to disable
Certificate Pinning.
iOS SSL Kill Switch patches low-level SSL functions within the Secure
Transport API - https://github.com/iSECPartners/ios-ssl-kill-switch
iOS TrustMe disables SecTrustEvaluate -
https://github.com/intrepidusgroup/trustme
For Android Applications
Android-SSL-TrustKiller hooks various runtime methods to bypass
certificate pinning -
https://github.com/iSECPartners/Android-SSL-TrustKiller
android-ssl-bypass uses a JDWP debugger using the JDI APIs -
https://github.com/iSECPartners/android-ssl-bypass
Regards,
Chetan G.
On 11/26/16, Hemang Sandhu <hemang...@gmail.com> wrote:
> Hi,
>
> Is there any document or steps to confirm whether Android mobile
> application having SSL pinning or not ?
>
> Things I know :-
>
> - CASE 1:- If you are able to intercept only first request and not
> other, then you can say there is SSL Pinning in the .apk
> - CASE 2:- If code is not obfuscated then check for “X509TrustManager"
> ______________________________________________________________________________
> null - Spreading the right Information
> null Mailing list charter:
> http://null.co.in/section/about/null_list_charter/
> ______________________________________________________________________________
> nullcon 8-bit, Goa (Feb 28 - Mar 04, 2017)
> http://nullcon.net
> ---
> You received this message because you are subscribed to the Google Groups
> "null" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to null-co-in+...@googlegroups.com.
> Visit this group at https://groups.google.com/group/null-co-in.
> For more options, visit https://groups.google.com/d/optout.
>
--
*Best Regards*
Chetan G.
m: (+91) 996 078 0908
@: chetang...@gmail.com
Certificate Pinning is a client-side security measure that can be
bypassed by manipulating the application or its environment.
Applications can be disassembled to remove or manipulate the
certificate pinning logic. It may also be possible to switch the
certificate embedded within the application with another.
Some tools exist for different mobile platforms which can
automatically disable certificate pinning.
For iOS Applications
Both of the following tools need jailbroken / rooted devices as they
manipulate the application or device during runtime to disable
Certificate Pinning.
iOS SSL Kill Switch patches low-level SSL functions within the Secure
Transport API - https://github.com/iSECPartners/ios-ssl-kill-switch
iOS TrustMe disables SecTrustEvaluate -
https://github.com/intrepidusgroup/trustme
For Android Applications
Android-SSL-TrustKiller hooks various runtime methods to bypass
certificate pinning -
https://github.com/iSECPartners/Android-SSL-TrustKiller
android-ssl-bypass uses a JDWP debugger using the JDI APIs -
https://github.com/iSECPartners/android-ssl-bypass
Regards,
Chetan G.
On 11/26/16, Hemang Sandhu <hemang...@gmail.com> wrote:
> Hi,
>
> Is there any document or steps to confirm whether Android mobile
> application having SSL pinning or not ?
>
> Things I know :-
>
> - CASE 1:- If you are able to intercept only first request and not
> other, then you can say there is SSL Pinning in the .apk
> OR “checkClientTrusted” OR “checkServerTrusted” ==> In this case many a
> times I have observed that I am able to find the above keyword in the
> code
> thought there is no SSL Pinning.
>
> [Not sure I am correct in above two cases or not]
>
> So How to verify or confirm application having SSL Pinning or not and my
> above 2 case is correct ?
>
> Regards,
> Hemang
>
>
>
> --
> times I have observed that I am able to find the above keyword in the
> code
> thought there is no SSL Pinning.
>
> [Not sure I am correct in above two cases or not]
>
> So How to verify or confirm application having SSL Pinning or not and my
> above 2 case is correct ?
>
> Regards,
> Hemang
>
>
>
> ______________________________________________________________________________
> null - Spreading the right Information
> null Mailing list charter:
> http://null.co.in/section/about/null_list_charter/
> ______________________________________________________________________________
> nullcon 8-bit, Goa (Feb 28 - Mar 04, 2017)
> http://nullcon.net
> ---
> You received this message because you are subscribed to the Google Groups
> "null" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to null-co-in+...@googlegroups.com.
> Visit this group at https://groups.google.com/group/null-co-in.
> For more options, visit https://groups.google.com/d/optout.
>
--
*Best Regards*
Chetan G.
m: (+91) 996 078 0908
@: chetang...@gmail.com
Hemang Sandhu
Nov 28, 2016, 7:31:43 PM11/28/16
to null
Dear Sir,
Thank you for the revert and helpful information. This will surely help me a lot.
But I have concern regarding how shall I confirm there is SSL pinning in the application or not ? (when not able to intercept the traffic)
Regards,
Hemang.
Thank you for the revert and helpful information. This will surely help me a lot.
But I have concern regarding how shall I confirm there is SSL pinning in the application or not ? (when not able to intercept the traffic)
Regards,
Hemang.
Chetan Gulhane
Nov 29, 2016, 2:13:59 AM11/29/16
to null-...@googlegroups.com
Hi Hemang,
In the SSL pinning implemented application user not able to capture the request and application will not be rendered on the next page. In this way you will come to know that application used SSL Pinning.
Best Regards
Chetan G.
Chetan G.
To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+unsubscribe@googlegroups.com.
Rajesh sharma
Nov 29, 2016, 11:11:14 AM11/29/16
to null-...@googlegroups.com, hemang...@gmail.com
Hi Hemang,
Thanks & Regards
Rajesh Kumar
There is a simple way to detect SSL pinning if an application is pinned with certificate. I hope, you heard about MOBSF security framework.
What you need to do is, just scan your application with MOBSF, and then a static analysis report will be appeared.
On the left hand side of report, a menu bar is shown then go to Security Analysis tab.
Under 'Security Analysis' tab, click on File Analysis.
Wherein, If you find "Certificate/Key Files Hard-coded inside the App" or "Hardcoded Keystore Found" keywords, it means application has SSL pinning.
Since key files and .bks files are prerequisite component to have SSL pining implemented on an android application.If you don't find these file, it means, application doesn't have SSL pinning(https://github.com/ikust/hello-pinnedcerts).
View the screen for your reference.
Below scanned application has SSL pinning as .bks and .key files are observed.
Screen-shot-1 Screen-shot-1
Below scanned application doesn't have SSL pinning as no .bks and .key files are observed.
Screen-shot-2
This is my approach to identify SSL pinning if Case 1 and Case 2 don't work.
Let me know if you need more assistant on this .
Thanks & Regards
Rajesh Kumar
Taher Barodawala
Nov 30, 2016, 8:46:41 AM11/30/16
to null
Case 2 is a good way to identify if cert pinning is implemented or not. Basically, what you should be looking for is a class derived from X509TrustManager and overrides checkServerTrusted() Your observation about it might be because there may be no actual checks implemented in checkServerTrusted().
A lot of developers who implement SSL pinning nowadays use the technique by Moxie Marlispike https://github.com/moxie0/AndroidPinning which basically pins the SPKI of the server's CA. So doing a grep for PinningHelper, PinningTrustManager, PinningSSLSocketFactory will also help to focus your search.
Hemang Sandhu
Dec 1, 2016, 7:59:29 AM12/1/16
to Rajesh sharma, null-...@googlegroups.com
Dear RajeshSir,
Thank you so much, this is just amazing and easy way to do it.Hemang Sandhu
Dec 10, 2016, 12:15:06 PM12/10/16
to Rajesh sharma, tah...@gmail.com, null-...@googlegroups.com
Dear RajeshSir,
I was checking one .apk file provided to me from one of client they said me that it has SSL Pinning implemented. And same I have verified as I was not able to intercept the request. 
So do we need to check something else also ? As the current .apk is pinned one but in MOBSF its only showing me .crt and .cer.
Quick Help much appreciated.
Reply all
Reply to author
Forward
0 new messages