8 Different Ways to Bypass SSL Pinning in iOS application

What is SSL Pinning?

SSL Pinning is a technique that we use on the client-side to avoid a man-in-the-middle attack by validating the server certificates. The developers embed (or pin) a list of trustful certificates to the client application during development, and use them to compare against the server certificates during runtime.

If there is a mismatch between the server and the local copy of certificates, the connection will simply be disrupted, and no further user data will be even sent to that server. This enforcement ensures that the user devices are communicating only to the dedicated trustful servers.

SSL Pinning prevents a man-in-the-middle attack, which means an attacker can not intercept the traffic and modify the data. If an attacker can not intercept the traffic then the application automatically prevents many server-side vulnerabilities. Because an attacker can not perform API-level test cases. That’s why implementing SSL is very important. 

Basic Approach For bypassing SSL Pinning Bypass

The basic approach for bypassing SSL pinning is to analyze the binary of the application to determine the language it was written in. Then go for a language-specific way to bypass the SSL pinning of that iOS application. For example, if an application builds using flutter or Xamrian then we will use the Hotspot method.  

Different Ways To Bypass SSL Pinning

1) Hotspot method (Flutter & Xamarin Application)

Flutter & Xamarin application does not respect system proxy, which means that if you set proxy in your iPhone and try to capture the traffic the application will throw an error or will not be able to capture the traffic. This is why the hotspot approach is used to perform API-level penetration testing of these types of applications. 

Before starting, first Identify the application is built in Flutter or Xamarin

a) Unzip the IPA file:
unzip test.ipa
b) Go To the “Framework” directory  or use the grep command and search for flutter
cd Payloads/test.app/framework

“Framework” directory

Requirements:

  • One mobile device(Android/iOS) to share the internet via Bluetooth tethering.
  • Jailbroken/Non-Jailbroken iOS device
  • MacBook

Steps to capture traffic via Hotspot Method 

 

A) Share the internet connection via Bluetooth tethering  

Turn on mobile data = > turn on mobile Bluetooth => connect to the MacBook => turn on Bluetooth tethering from setting in mobile device

(Try to browse some data in MacBook to confirm that Bluetooth tethering is done properly)

B) Share internet connection from MacBook to iPhone

a) In MacBook navigate to System preferences => sharing => internet sharing =>  share your connection from => bluetooth PAN => To computer using => wifi 

Share internet connection from MacBook to iPhone

b) In iPhone navigate to Wifi => connect to the Macbook’s wifi 

Macbook’s wifi 

(Try to browse some data in iPhone  to confirm that this is done properly)

C) Forward the iPhone traffic to the burp suite

Create the Pf.rules file with the following data

rdr pass on bridge100 inet proto tcp from any to any -> 127.0.0.1 port 8080

Run the below two command 

sudo pfctl -f pf.rules 

sudo pfctl -f pf.rules 

sudo sysctl -w net.inet.ip.forwarding=1

sysctl -w net.inet.ip.forwarding=1

D) Turn on the invisible proxy option in the burp suite

Open burp suite => proxy => Options => edit => Request handling => turn on support invisible peroxy 

invisible proxy option

 

Request handling

 

E) Start browsing the application from the iPhone and observe that the traffic will be captured in the burp suite

 

Related Blog: Everything You Need to Know about iOS Jailbreak Detection Bypass

 

2) SSL Pinning Bypass via Replacing Hard-Coded Certificate

Some applications use a hardcoded certificate for implementing SSL pinning in the iOS application. The application will check if the certificate is matched or not and then only sends the traffic to the server.

So, we'll replace the hardcoded certificate in the iOS application with our burp suite certificate and reinstall the app, and we'll be able to bypass the pinning.

Let’s see how to replace the hardcoded certificate.

A) Unzip the IPA file with the following command.

unzip test.IPA

unzip test.IPA

B) Go to the binary

cd /Payload/test.appcd /Payload/test.app


C) Search for hardcoded certificate via the following command

find . | grep .cer

hardcoded certificate

Note * certificates can be different types also like .pem, .cert etc. 

D) Replace All the hardcoded certificates with your burp suite certificate

cp ~/Path_of_Your_burp_certificate  ./Full_Path_Of_Hardcoded_Certificateburp suite certificate

E) Recompile the application and install the application via Cydia impactor


  • Compress the Payload folder with a .zip file extension.
  • Rename the above-compressed zip file to .IPA file extension.
  • Now install the application via Cydia impactor (it will resign and install the application in the iPhone)

F) Start browsing the application from the iPhone and observe that the traffic will be captured in the burp suite.

 

3) SSL Pinning Bypass Via Replacing Hard-Coded Sha 256 Hash 

Some applications use a hardcoded hash of certificates for implementing SSL pinning in the iOS application. Most of the applications which are built-in Cordova use this technique for implementing SSL pinning. 
So, we can simply replace the hardcoded certificate hash value in the iOS application with our burp suite certificate hash and reinstall the application.
Let’s see how to replace the hardcoded certificate’s hash value.

A) Unzip the IPA file with the following command.

unzip test.IPA

B) Go to the following location and look for the hardcoded hash, it might be at a different location also, in my case it was there 

cd /Payload/test.app/www/pinning/pinning.jsoncd /Payload/test.app/www/pinning/pinning.json

C) Generate your burp suite certificate hash via the following command 

openssl x509 -inform DER -in cacert.cer -out cacert.crtopenssl x509

openssl x509 -in cacert.crt -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64openssl enc -base64

D) Replace our hash value with application hash via any editor.

 

E) Recompile the application and install the application via Cydia impactor

  • Compress the Payload folder with a .zip file extension.
  • Rename the above-compressed zip file to .IPA file extension.
  • Now install the application via Cydia impactor (it will resign and install the application in the iPhone)

F) Start browsing the application from the iPhone and observe that the traffic will be captured in the burp suite.

 

4) SSL Pinning Bypass via SSL Kill Switch2 

 

A) Installing SSL Kill Switch 

  • Download SSLLillSwitch deb file:
    (https://github.com/nabla-c0d3/ssl-kill-switch2/releases

  • Copy the deb file to your iPhone via the following command and enter the default password “alpine”.
    scp /Path_Of_Downloaded_deb_file root@your_iphon_ip:/private (Folder where you want to copy the package)

  • Download Debian Package and Cydia SubstratePreferenceLoader
    Download this from Cydia, hopefully, it has already been installed 
  • Take ssh connection and enter default password “alpine”
    ssh root@iphone_ip

  • Enter the following command to install the SSL kill Debian package or install it from filza
    dpkg -i ssl.deb 

B) Go to settings & look for the SSL kill switch application.

 

SSL kill switch

C) Click on Disable SSL Certificate and SSL pinning of all the applications will be bypassed. 


SSL kill switch 2

 

D) Start browsing the application from the iPhone and observe that the traffic will be captured in the burp suite.

 

5) Bypassing SSL Pinning via MITM 

Some applications traffic can not be captured via burp suite directly in such cases MITM comes into the picture. Instead of capturing the traffic via burp suite, we can use MITM to capture traffic and then send it to the burp suite using MITM. 

 You can also use MITM with the objection, Frida script, etc. It works many times, in one of my projects I tried a lot to bypass SSL pinning but nothing worked. Then at the end with one Frida script and MITM, I was able to capture the traffic. 

i) Install mitmproxy via the following command in MacBook
brew install mitmproxy

ii) Download the MITM certificate in the iPhone
a) Connect the iPhone and Macbook via USB and Enter the below command
mitmproxy

mitmproxy

 

b) Enter the below command in the iPhone browser 
Mitm.it (Download the iOS certificate)

(Download the iOS certificate)

 

iii) Install the MITM certificate on the iPhone

In iPhone navigate to Setting  => Install Profile => Setting =>  Trust certificates => Certificate Trust Settings => Enable mitmproxy

iv) Enter the below command to start the mitmproxy in the Browser.

mitmweb  (mitm get open in the browser automatically) 

mitmweb

v) Setup MITMProxy for forwarding traffic from the MITM to the burp suite.
a) Enter the below command

mitmweb

b) Go to the option and click on “Edit Options”  and click on “set this configuration”set this configuration

c) Search for mode and add the following line there 

upstream:http://127.0.0.1:8888

 

upstream

d) Search for ssl_insecure and enable it

 

        ssl_insecure

 

e) Set upstream proxy in burp suite.

Set the IP address and port no in the burp suite which you have set for the upstream in mode option.

f) Start browsing the application from the iPhone and observe that the traffic will be                   captured in the burp suite.

 

6) SSL Pinning Bypass via Objection

a) Install Frida Server:

From iPhone open Cydia => Source => Edit => Add => https://build.frida.re => search =>frida =>Install

By default the Frida server is running up on the iPhone, you don’t need to start a Frida server every time. 

b) Install objection in MacBook

sudo pip3 install objection

Note* While using objection make sure the application is opened in the device, otherwise objection wouldn’t work.

c) Enter the below command to connect the application to the objection and explore the application.

objection --gadget package_name explore

objection --gadget package_name explore

 

d) Run the below command to bypass SSL pinning

ios sslpinning disable

 

ios sslpinning disable

 

e) Start browsing the application from the iPhone and observe that the traffic will be captured in the burp suite.

 

7) SSL Pinning bypass via Frida

i) Enter the below command to bypass SSL pinning

frida -U -f package_name -l ssl.js --no-pause

U => To use a connected USB device as a target 

F =>  To indicates the package name

L =>  To load the script

ssl.js =>

(Download the script from codeshare according to your iOS version)

--no-pause => To force the Frida to “not to pause” app execution after injecting the script. 

ii) Start browsing the application from the iPhone and observe that the traffic will be captured in the burp suite.

 

8) SSL Pinning Bypass via Info.Plist modification

Some applications define the pinning rules in the Info.Plist file and set the boolean value. We can modify these boolean values from true to false and bypass the SSL pinning. 

i) Go to the binary of the IPA file and open Info.plist file.

ii) Data is present and key-value pair and now search for the keywords like <key>TSKEnforcePinning</key>,<key>NSRequiresCertificateTransparency</key> etc. 

iii) Change the value of these from true to false and reinstall the application. 

iv) Start browsing the application from the iPhone and observe that the traffic will be captured in the burp suite.

 

Conclusion 

The amount of private and sensitive information that is handled by mobile apps these days makes them a lucrative target of threat actors. In the case of iOS applications, attackers would generally begin with bypassing the SSL/TLS protection layer and gain more information about the functionality and the structure of the apps. That is why in-depth penetration testing becomes a must and knowing the several techniques used by attackers to bypass SSL pinning can be a very proactive start in this direction. 

Based on the gained insights, you can always add additional security measures to your app and stay ahead of the attackers. 

Published on Oct 14, 2021
Vaishali Nagori
Written by Vaishali Nagori
Vaishali is a Penetration Tester, as well as a Dancer and a Learner. She works as security consultant. She has worked with Web Applications, APIs, Android, and iOS Penetration Testing. She has secured over 70 applications from a variety of industries, including e-commerce, banking, management, gaming, trading, government, tax management, and financial services. She enjoys dancing and interacting with new people. You can find her on Linkedin: http://www.linkedin.com/in/vaishali-nagori

Questions?

Chat With Us

Using Other Product?

Switch to Appknox

2 Weeks Free Trial!

Get Started Now