Unmasking Communication Between an Android App and its Server(SSL PINNING BYPASS)

3 years ago 182
BOOK THIS SPACE FOR AD
ARTICLE AD

Brian Ndung'u Njenga

Have you ever been curious about the data an app sends from your phone to its server? You are in the right place, we are going to detail the steps involved in bypassing methods set up by developers to hinder you from accessing the data(ssl pinning).

********************************************************************************** * * * * * * * DISCLAIMER: ANY MALICIOUS USE OF THE CONTENTS FROM THIS ARTICLE * * * * WILL NOT HOLD THE AUTHOR RESPONSIBLE, THE CONTENTS ARE SOLELY FOR * * * * EDUCATIONAL PURPOSES * * * * * **********************************************************************************

First, you need a rooted device or an android emulator. For this article, we are not going to go through the process of creating an emulator or rooting your android device, this information can be found on the internet.

You’ll also need to know some linux commands to be able to follow through later in the article.

First install your app in the emulator(needs to be on). You can install adb from here and run the following command(I am using kali linux):

adb install -r ***app name goes here (app.apk)***

Open the app and confirm everything is okay(You can even log into your account or create one). Then we are going to set up burp on your machine. Burp will help us intercept requests/responses between an app and its server. You can download it from here.

Once you do we need to set it up burps certificate into your device. First you need to configure burp to work with your device, you can follow this walk through. Then download the certificate, to do that follow this walk through. Follow through until the point you rename it. Newer versions of android(7+) won’t work with user supplied certificates so we are going to use frida. Copy the renamed burp certificate to the following directory:

/data/local/tmp/

At this point, make sure you have an emulator and have followed the configurations required to work with burp.

Next we are going to set-up frida. Frida is a dynamic code instrumentation toolkit. It lets you inject your own code into android apps. To set-up frida we need download the frida-server for your android version. To get your android version run the following command:

adb shell getprop ro.product.cpu.abi

Unzip frida-server-*.xz then open a terminal and run the following commands to push frida-server to your device.

adb rootadb push frida-server /data/local/tmp/adb shell "chmod 755 /data/local/tmp/frida-server"adb shell "/data/local/tmp/frida-server &"

To test whether this works run the following command:

frida-ps -U

You should see processes listed running on your device as shown below:

Copy this code and save it to a file frida-script.js. Then run the following command:

frida -U -f ***process name goes here*** -l fridascript.js --no-paus

You should be able to intercept the communication between server and client.

Now you’ll be able to analyze the information sent to and from an app and to the server and third party services.

Read Entire Article