Bypass Android SSL Pinning

Check below link for the basic configuration of android device with burpsuite in order to capture the traffic.

Setup android device with Burpsuite

Table of Contents

1. How to verify does android app have SSL pinning
2. Bypass SSL pinning using
   2.1 Magisk Module
   2.2 Objection Tool
   2.3 Frida Script
   2.4 Xposed Framework
   2.5 apk-mitm
   2.6 Modifying the network_security_config.xml file
3. Intercepting Flutter Based Apps
4. Intercepting Proxy Unaware app

1. How to verify does android app have SSL pinning

If the pinning is implemented, then we won’t be able to capture the HTTPS traffic of our target android application.

In order to confirm, setup the proxy and run the application, then perform some activities that makes a communication between the target application and the server. Now, check the Burp’s dashboard, in specific the Log section.

If the Pinning is implemented, then we will be able to see a Certificate error as follows:

2. Bypass SSL pinning using:

2.1 Magisk Module

If the device is rooted, then Move Certificate module from the Magisk application is very useful.

This module will move the user trusted certificates to the system store, making the system(root) trust the Certificate which the user install(Burp CA certificate):

2.2 Objection Tool

Step 1: Run the frida server on android device.
Step 2: Attach the target application with the objection using following command:

Objection -g <package name/PID> explore

Then execute next command — “android sslpinning disable”

That’s it, the script will find the SSL pinning classes and hook them during the runtime in order to bypass the SSL pinning.

2.3 Frida Script

Step 1: Run the frida server on android device.
Step 2: Attach the target application with the frida and run the below bypass script:

frida -U -f <pkg name/PID> -l fridascript.js

2.4 Xposed Framework

If the device is rooted with Xposed framework, then try the following modules to bypass the SSL pinning.

Install the below modules and set the target application in scope so during the runtime, these modules will bypass the ssl pinning:

1. ac-pm/SSLUnpinning_Xposed: Android Xosed Module to bypass SSL certificate validation (Certificate Pinning). (github.com)
2. ViRb3/TrustMeAlready: 🔓 Disable SSL verification and pinning on Android, system-wide (github.com)

2.5 apk-mitm

apk-mitm is a CLI application that automatically prepares Android APK files for HTTPS inspection by modifying the APK files and repacking.

shroudedcode/apk-mitm: 🤖 A CLI application that automatically prepares Android APK files for HTTPS inspection (github.com)

Step 1: Install apk-mitm using npm.
Step 2: Run the application to patch as shown in the below image:

That’s it, apk-mitm has done its part. Now, we can install the patched APK and intercept the application traffic.

2.6 Modifying the network_security_config.xml file

The Network Security Configuration lets apps customize their network security settings through a declarative configuration file. The entire configuration is contained within this XML file, and no code changes are required.

The Network Security Configuration works in Android 7.0 or higher.

Step 1: Decompile the android application with apktool or any other decompilers. Now, locate the network_security_config.xml file under /res/xml

Step 2: The file may look like this if the app has pinned its own CA certificates:

Step 3: Remove that <pin-set>… </pin-set> tag section and add the following:

Step 4: Now, save the file and Re-pack the application using apktool and uber-apk-signer (Sign the modified APK).

That’s it, install our modified APK to capture traffic.

3. Intercepting Flutter Based Apps

The flutter based applications are basically Proxy unaware so the normal interception method will not work with these apps.

In order to capture the traffic we have to use reflutter framework.

This framework helps with Flutter apps reverse engineering using the patched version of the Flutter library which is already compiled and ready for app repacking.

Step 1: Install the reflutter using pip.

Step 2: Follow the below commands as shown in the screenshot:

reflutter app.apk

Step 3: Sign the application using uber-apk-signer and Finally install the application:

Step 4: Now in Burp proxy, Start listening the port 8083 and also enable ‘Support Invisible Proxying’:

That’s it.. Capture the request and enjoy hacking.

4. Intercepting Proxy Unaware app with HTTP request using Hosts Go application

Sometimes the application is using HTTP only but still unable to Intercept.

Application with this behaviour, are basically called “Proxy Unaware” applications. Such applications route the traffic directly to the internet without cooperating with system wide Proxy settings.

Step 1: Download ‘Hosts Go’ application in device.

Step 2: In ‘Hosts Editor’, add system IP and application domain URL(which can be identified by running the Wireshark).

Step 3: Once the details are added, turn on the ‘Hosts change switch’ and click on ‘START’.

Step 4: Setup the burp proxy and request handling settings.

That’s it. Now the application’s HTTP traffic will be captured in the Burp suite.