8 Different Ways to Bypass SSL Pinning in iOS Applications

ssl pinning bypass

What is SSL Pinning?

SSL Pinning is a technique that we use on the client side to avoid a man-in-the-middle attack by validating the server certificates. The developers embed (or pin) a list of trustful certificates to the client application during development, and use them to compare against the server certificates during runtime.

If there is a mismatch between the server and the local copy of certificates, the connection will simply be disrupted, and no further user data will be even sent to that server. This enforcement ensures that the user devices are communicating only to the dedicated trustful servers.

SSL Pinning prevents a man-in-the-middle attack, which means an attacker can not intercept the traffic and modify the data. If an attacker can not intercept the traffic then the application automatically prevents many server-side vulnerabilities. Because an attacker can not perform API-level test cases. That’s why implementing SSL is very important. 

Basic Approach For bypassing SSL Pinning Bypass

The basic approach for bypassing SSL pinning bypass is to analyze the binary of the application to determine the language it was written in. Then go for a language-specific way to bypass the SSL pinning of that iOS application. For example, if an application builds using flutter or Xamrian then we will use the Hotspot method.  

Different Ways of SSL Bypass

1) Hotspot method (Flutter & Xamarin Application)

Flutter & Xamarin application does not respect system proxy, which means that if you set a proxy in your iPhone and try to capture the traffic the application will throw an error or will not be able to capture the traffic. This is why the hotspot approach is used to perform API-level penetration testing of these types of applications. 

Before starting, first Identify whether the application is built in Flutter or Xamarin

a) Unzip the IPA file:
unzip test.ipa
b) Go To the “Framework” directory  or use the grep command and search for flutter
cd Payloads/test.app/framework

ios ssl pinning bypass

Requirements:

  • One mobile device(Android/iOS) to share the internet via Bluetooth tethering.
  • Jailbroken/Non-Jailbroken iOS device
  • MacBook

Steps to capture traffic via Hotspot Method 

 

A) Share the internet connection via Bluetooth tethering  

Turn on mobile data = > turn on mobile Bluetooth => connect to the MacBook => turn on Bluetooth tethering from setting in mobile device

(Try to browse some data in MacBook to confirm that Bluetooth tethering is done properly)

B) Share internet connection from MacBook to iPhone

a) In MacBook navigate to System preferences => sharing => internet sharing =>  share your connection from => bluetooth PAN => To computer using => wifi 

Share internet connection from MacBook to iPhone

b) In iPhone navigate to Wifi => connect to the Macbook’s wifi 

ssl certificate for iphone

(Try to browse some data in iPhone  to confirm that this is done properly)

C) Forward the iPhone traffic to the burp suite

Create the Pf.rules file with the following data

rdr pass on bridge100 inet proto tcp from any to any -> 127.0.0.1 port 8080

Run the below two command 

sudo pfctl -f pf.rules 

IOS bypass

sudo sysctl -w net.inet.ip.forwarding=1

sysctl -w net.inet.ip.forwarding=1

D) Turn on the invisible proxy option in the burp suite

Open burp suite => proxy => Options => edit => Request handling => turn on support invisible peroxy 

invisible proxy option

 

Request handling

 

E) Start browsing the application from the iPhone and observe that the traffic will be captured in the burp suite

 

Related Blog: Everything You Need to Know about iOS Jailbreak Detection Bypass

 

2) SSL Pinning Bypass via Replacing Hard-Coded Certificate

Some applications use a hardcoded certificate for implementing SSL pinning in the iOS application. The application will check if the certificate is matched or not and then only sends the traffic to the server.

So, we'll replace the hardcoded certificate in the iOS application with our burp suite certificate and reinstall the app, and we'll be able to bypass the pinning.

Let’s see how to replace the hardcoded certificate.

A) Unzip the IPA file with the following command.

unzip test.IPA

android ssl pinning bypass

B) Go to the binary

cd /Payload/test.appcd /Payload/test.app


C) Search for hardcoded certificate via the following command

find . | grep .cer

hardcoded certificate

Note * certificates can be different types also like .pem, .cert etc. 

D) Replace All the hardcoded certificates with your burp suite certificate

cp ~/Path_of_Your_burp_certificate  ./Full_Path_Of_Hardcoded_Certificateburp suite certificate

E) Recompile the application and install the application via Cydia impactor


  • Compress the Payload folder with a .zip file extension.
  • Rename the above-compressed zip file to .IPA file extension.
  • Now install the application via Cydia impactor (it will resign and install the application in the iPhone)

F) Start browsing the application from the iPhone and observe that the traffic will be captured in the burp suite.

 

3) SSL Pinning Bypass Via Replacing Hard-Coded Sha 256 Hash 

Some applications use a hardcoded hash of certificates for implementing SSL pinning in the iOS application. Most of the applications which are built-in Cordova use this technique for implementing SSL pinning. 
So, we can simply replace the hardcoded certificate hash value in the iOS application with our burp suite certificate hash and reinstall the application.
Let’s see how to replace the hardcoded certificate’s hash value.

A) Unzip the IPA file with the following command.

unzip test.IPA

B) Go to the following location and look for the hardcoded hash, it might be at a different location also, in my case it was there 

cd /Payload/test.app/www/pinning/pinning.jsonburp ios certificate

C) Generate your burp suite certificate hash via the following command 

openssl x509 -inform DER -in cacert.cer -out cacert.crtopenssl x509

openssl x509 -in cacert.crt -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64openssl enc -base64

D) Replace our hash value with application hash via any editor.

 

E) Recompile the application and install the application via Cydia impactor

  • Compress the Payload folder with a .zip file extension.
  • Rename the above-compressed zip file to .IPA file extension.
  • Now install the application via Cydia impactor (it will resign and install the application in the iPhone)

F) Start browsing the application from the iPhone and observe that the traffic will be captured in the burp suite.

 

4) SSL Pinning Bypass via SSL Kill Switch2 

 

A) Installing SSL Kill Switch 

  • Download SSLLillSwitch deb file:
    (https://github.com/nabla-c0d3/ssl-kill-switch2/releases

  • Copy the deb file to your iPhone via the following command and enter the default password “alpine”.
    scp /Path_Of_Downloaded_deb_file root@your_iphon_ip:/private (Folder where you want to copy the package)

  • Download Debian Package and Cydia SubstratePreferenceLoader
    Download this from Cydia, hopefully, it has already been installed 

  • Take ssh connection and enter default password “alpine”
    ssh root@iphone_ip

  • Enter the following command to install the SSL kill Debian package or install it from filza
    dpkg -i ssl.deb 

B) Go to settings & look for the SSL kill switch application.

 

SSL kill switch

C) Click on Disable SSL Certificate and SSL pinning of all the applications will be bypassed. 


SSL kill switch 2

 

D) Start browsing the application from the iPhone and observe that the traffic will be captured in the burp suite.

 

5) Bypassing SSL Pinning via MITM 

Some applications traffic can not be captured via burp suite directly in such cases MITM comes into the picture. Instead of capturing the traffic via burp suite, we can use MITM to capture traffic and then send it to the burp suite using MITM. 

 You can also use MITM with the objection, Frida script, etc. It works many times, in one of my projects I tried a lot to bypass SSL pinning but nothing worked. Then at the end with one Frida script and MITM, I was able to capture the traffic. 

i) Install mitmproxy via the following command in MacBook
brew install mitmproxy

ii) Download the MITM certificate in the iPhone
a) Connect the iPhone and Macbook via USB and Enter the below command
mitmproxy

mitmproxy in ssl

 

b) Enter the below command in the iPhone browser 
Mitm.it (Download the iOS certificate)

(Download the iOS certificate)

 

iii) Install the MITM certificate on the iPhone

In iPhone navigate to Setting  => Install Profile => Setting =>  Trust certificates => Certificate Trust Settings => Enable mitmproxy

iv) Enter the below command to start the mitmproxy in the Browser.

mitmweb  (mitm get open in the browser automatically) 

mitmweb

v) Setup MITMProxy for forwarding traffic from the MITM to the burp suite.
a) Enter the below command

mitmweb

b) Go to the option and click on “Edit Options”  and click on “set this configuration”set this configuration

c) Search for mode and add the following line there 

upstream:http://127.0.0.1:8888

 

bypass ssl

d) Search for ssl_insecure and enable it

 

        ssl_insecure

 

e) Set upstream proxy in burp suite.

Set the IP address and port no in the burp suite which you have set for the upstream in mode option.

f) Start browsing the application from the iPhone and observe that the traffic will be                   captured in the burp suite.

 

6) SSL Pinning Bypass via Objection

a) Install Frida Server:

From iPhone open Cydia => Source => Edit => Add => https://build.frida.re => search =>frida =>Install

By default the Frida server is running up on the iPhone, you don’t need to start a Frida server every time. 

b) Install objection in MacBook

sudo pip3 install objection

Note* While using objection make sure the application is opened in the device, otherwise objection wouldn’t work.

c) Enter the below command to connect the application to the objection and explore the application.

objection --gadget package_name explore

bypass ssl pinning jailbreak

 

d) Run the below command to bypass SSL pinning

ios sslpinning disable

 

ios sslpinning disable

 

e) Start browsing the application from the iPhone and observe that the traffic will be captured in the burp suite.

 

7) SSL Pinning bypass via Frida

i) Enter the below command to bypass SSL pinning

frida -U -f package_name -l ssl.js --no-pause

U => To use a connected USB device as a target 

F =>  To indicates the package name

L =>  To load the script

ssl.js =>

(Download the script from codeshare according to your iOS version)

--no-pause => To force the Frida to “not to pause” app execution after injecting the script. 

ii) Start browsing the application from the iPhone and observe that the traffic will be captured in the burp suite.

 

8) SSL Pinning Bypass via Info.Plist modification

Some applications define the pinning rules in the Info.Plist file and set the boolean value. We can modify these boolean values from true to false and bypass the SSL pinning. 

i) Go to the binary of the IPA file and open Info.plist file.

ii) Data is present and key-value pair and now search for the keywords like <key>TSKEnforcePinning</key>,<key>NSRequiresCertificateTransparency</key> etc. 

iii) Change the value of these from true to false and reinstall the application. 

iv) Start browsing the application from the iPhone and observe that the traffic will be captured in the burp suite.

 

Conclusion 

The amount of private and sensitive information that is handled by mobile apps these days makes them a lucrative target of threat actors. In the case of iOS applications, attackers would generally begin with bypassing the SSL/TLS protection layer and gain more information about the functionality and the structure of the apps. That is why in-depth penetration testing becomes a must and knowing the several techniques used by attackers to bypass SSL pinning can be a very proactive start in this direction. 

Based on the gained insights, you can always add additional security measures to your app and stay ahead of the attackers. 

iOS iPhone SSL Jailbreak SSL Pinning

Published on Oct 14, 2021
Vaishali Nagori
Written by Vaishali Nagori
Vaishali is a Penetration Tester, as well as a Dancer and a Learner. She works as security consultant. She has worked with Web Applications, APIs, Android, and iOS Penetration Testing. She has secured over 70 applications from a variety of industries, including e-commerce, banking, management, gaming, trading, government, tax management, and financial services. She enjoys dancing and interacting with new people. You can find her on Linkedin: http://www.linkedin.com/in/vaishali-nagori

Similar Blogs

Everything You Need to Know about iOS Jailbreak Detection Bypass
Sep 3, 2021

Everything You Need to Know about iOS Jailbreak Detection Bypass

iOS has always been considered a safe haven when it comes to mobile application security. Every year this operating ...

View Blog
Mobile Payments and How it Leads to Payment Bypass
Dec 19, 2017

Mobile Payments and How it Leads to Payment Bypass

Do you know, when was the first time mobile was used to make a payment? In 1997, Coca-Cola introduces SMS purchasing, ...

View Blog
Bypassing the android permission model
May 28, 2019

Bypassing The Android Permission Model

Android Permission Mystery Android permissions are based on UNIX permission model, but the catch here is there exists ...

View Blog

Questions?

Chat With Us

Using Other Product?

Switch to Appknox

2 Weeks Free Trial!

Get Started Now

Appknox is the worlds most powerful plug and play security platform which helps Developers, Security Researchers and Enterprises to build a safe and secure mobile ecosystem using a system plus human approach to outsmart smartest hackers.

Subscribe to our newsletter
Get Started
Product
Vulnerability Assessment Tools
Penetration Testing Tools
Resources
Compare
We are loved! Our reviews say it all!

Copyright © 2023 Appknox, Xysec Labs