SSL UNPINNING USING XPOSED MODULE

Android

Publish Date: 2019-02-05

Update Date: 2021-06-10

Word Count: 396

Read Times: 2 Min

Read Count:

Why SSL pinning?

SSL Pinning is where you ignore that whole thing, and say trust this certificate only or perhaps trust only certificates which are signed by this CA.

Ways to bypass android ssl verification certificate pinning

Adding a Custom CA to the User Certificate Store
Overwrite Packaged CA Certificate with Custom CA Certificate
Frida Hook
Reversing Custom Certificate Validation Code

Method used

Xposed framework is somewhat similar to technique 3 - Frida framework, both the method allows tampering with an application’s code at runtime. The Xposed framework requires root privilege, but Frida gains access to the full suite of Frida functionality without rooting a device.

In this process, the device used is nexus 6p and Hardware Info about this device which is useful when installing the Xposed framework.

Hard info

Root

Android version is oreo 8.0. I used magisk to root the device and can’t root the device using SuperSU latest version leads to bootloop for this version of this device.

Choose SuperSu or Magisk based on the usage. SuperSU changes the system files and adds new files to the system partition on the phone and Magisk is called a “systemless” root because it doesn’t touch any of those system files.

root info

Xposed Framework Installation

Install the xposed framework based on the device android version(SDK 26) and instruction sets(arm64).

xposed sdk
xposed arm
xposed version

I prefer manual flashing using recovery mode.

Install xposed apk 3.1 and grant a root privilege using magisk.

xposed root
xposed apk

SSLUnpinning 2.0 module

Now, SSLUnpinning 2.0 module can be installed from xposed framework.

ssl unpin

Soft reboot, To activate the module and list of apps can be seen in SSLUnpinning application. Choose the target application and unpin that.

app list

Configuring BurpSuite

Now, for MITM configure the burpsuite with the interface as its own IP and the port number as 8082(for ex). Connect the target android phone in the same network and set manual proxy to burpsuite pc’s ip and port as below

network mod

Now the targeted app, establish the connection and https packets can be captured.

Reference

https://blog.netspi.com/four-ways-bypass-android-ssl-verification-certificate-pinning/

Mukhilan

http://mukhilan.com/Android/ssl-pin-bypass/

All articles in this blog are used except for special statements CC BY 4.0 reprint polocy. If reproduced, please indicate source Mukhilan !

Mobile Bypass Xposed

Comment

IOS SSL UNPINNING USING SSL-Kill-Switch2

SSL Kill Switch2 to Bypass IOS SSL Verification and Certificate Pinning

2019-03-25 Ios

Mobile Bypass Frida

MULTI-FACTOR AUTHENTICATION SCHEME FOR ONLINE EXAMINATION

Scheme for implementation of Multifactor Authentication

2019-01-27 Paper Project

python Paper Project