SSL Pinning Bypass trick PT2 (Forcing APK Accept CA Certificate)
So As discussed in Part 1, the 1APP has implemented another trick to avoid bypassing SSL Pinning. Before they were focusing on CA certificates present in device. Which we were able to bypass by putting our burpsuite certificate in CA directory. Now After update the Old trick was not working. To understand the implemented fix, I have decompile the APK again and In "resources\res\xml" directory I checked for "network_security_config.xml" after reviewing the XML file I Saw a new entry like
<trust-anchors>
<certificates src="@raw/myAPP"/>
</trust-anchors>
This means that they have embedded their own certificate in "\resources\res\raw" directory with "myAPP" name. which means that application will not accept any certificate (CA/system or User) from device, it will only use myAPP certificate which is embedded in APK. I have tried multiple attempts to bypass it however every time I manipulate the APK file and tries to install it, It gives me error of "APP NOT INSTALLED"
After alot of research I came across a solution by manipulating the APK to trust System & User certificates also.
Steps are simple as below
1. Decompile the APK using APKTOOL
2. Modify AndroidManifest.xml
3. Add android:networkSecurityConfig="@xml/ssl_bypass" in "<application android:theme="@style/AppTheme" android:label="@string/app_name"> section e.g
<application android:theme="@style/AppTheme" android:label="@string/app_name" android:icon="@mipmap/new_af_logo" android:name="com.example.app.MyApplication" android:allowBackup="false" android:supportsRtl="true" android:usesCleartextTraffic="true" android:networkSecurityConfig="@xml/ssl_bypass" android:appComponentFactory="android.support.v4.app.CoreComponentFactory">
4. After that go to "\resources\res\xml" directory and add ssl_bypass.xml file with below content and save it.
<?xml version="1.0" encoding="utf-8"?>
<network-security-config xmlns:android="http://schemas.android.com/apk/res/android" xmlns:app="http://schemas.android.com/apk/res-auto" xmlns:aapt="http://schemas.android.com/aapt">
<base-config cleartextTrafficPermitted="true">
<trust-anchors>
<certificates src="user"/>
<certificates src="system"/>
</trust-anchors>
</base-config>
</network-security-config>
5. Once all done close all the directories and files and rebuild the apk with the following command: apktool b *folder-name/* -o *output-file.apk*
6. Finally, you need just to sign the new application. Read this section of the page Smali - Decompiling/[Modifying]/Compiling to learn how to sign it. https://book.hacktricks.xyz/mobile-apps-pentesting/android-app-pentesting/smali-changes#sing-the-new-apk
7. Install the new application and it you will be able to bypass the SSL pining.
=========================
This was the manual Process. if you don't want all these things. you can use below automated tool to perform all this task for you. Make sure you have install Node.js (14+) and Java (8+). Once installed open cmd and run below command:
npm install -g apk-mitm
Usage using cmd
Once installed, you can run this command to patch an app:
$ apk-mitm <path-to-apk>
So, if your APK file is called example.apk
, you'd run:
$ apk-mitm example.apk
✔ Decoding APK file
✔ Modifying app manifest
✔ Replacing network security config
✔ Disabling certificate pinning
✔ Encoding patched APK file
✔ Signing patched APK file
Done! Patched APK: ./example-patched.apk
This will give you another APK install the APK and it will start working.
Comments
Post a Comment