What is SSL Pinning?
SSL Pinning is a technique that we use on the client side to avoid a man-in-the-middle attack by validating the server certificates. The developers embed (or pin) a list of trustful certificates to the client application during development, and use them to compare against the server certificates during runtime.
If there is a mismatch between the server and the local copy of certificates, the connection will simply be disrupted, and no further user data will be even sent to that server. This enforcement ensures that the user devices are communicating only to the dedicated trustful servers.SSL Pinning prevents a man-in-the-middle attack, which means an attacker can not intercept the traffic and modify the data. If an attacker can not intercept the traffic then the application automatically prevents many server-side vulnerabilities. Because an attacker can not perform API-level test cases. That’s why implementing SSL is very important.
Basic Approach For bypassing SSL Pinning Bypass
The basic approach for bypassing SSL pinning bypass is to analyze the binary of the application to determine the language it was written in. Then go for a language-specific way to bypass the SSL pinning of that iOS application. For example, if an application builds using flutter or Xamrian then we will use the Hotspot method.
Different Ways of SSL Bypass
1) Hotspot method (Flutter & Xamarin Application)
Flutter & Xamarin application does not respect system proxy, which means that if you set a proxy in your iPhone and try to capture the traffic the application will throw an error or will not be able to capture the traffic. This is why the hotspot approach is used to perform API-level penetration testing of these types of applications.
Before starting, first Identify whether the application is built in Flutter or Xamarin
a) Unzip the IPA file:unzip test.ipa
b) Go To the “Framework” directory or use the grep command and search for flutter
cd Payloads/test.app/framework
Requirements:
- One mobile device(Android/iOS) to share the internet via Bluetooth tethering.
- Jailbroken/Non-Jailbroken iOS device
- MacBook
Steps to capture traffic via Hotspot Method
A) Share the internet connection via Bluetooth tethering
Turn on mobile data = > turn on mobile Bluetooth => connect to the MacBook => turn on Bluetooth tethering from setting in mobile device
(Try to browse some data in MacBook to confirm that Bluetooth tethering is done properly)B) Share internet connection from MacBook to iPhone
a) In MacBook navigate to System preferences => sharing => internet sharing => share your connection from => bluetooth PAN => To computer using => wifi
(Try to browse some data in iPhone to confirm that this is done properly)
C) Forward the iPhone traffic to the burp suite
Create the Pf.rules file with the following data
rdr pass on bridge100 inet proto tcp from any to any -> 127.0.0.1 port 8080
Run the below two command
sudo pfctl -f pf.rules
sudo sysctl -w net.inet.ip.forwarding=1
D) Turn on the invisible proxy option in the burp suite
Open burp suite => proxy => Options => edit => Request handling => turn on support invisible peroxy
E) Start browsing the application from the iPhone and observe that the traffic will be captured in the burp suite
Related Blog: Everything You Need to Know about iOS Jailbreak Detection Bypass
2) SSL Pinning Bypass via Replacing Hard-Coded Certificate
Some applications use a hardcoded certificate for implementing SSL pinning in the iOS application. The application will check if the certificate is matched or not and then only sends the traffic to the server.
So, we'll replace the hardcoded certificate in the iOS application with our burp suite certificate and reinstall the app, and we'll be able to bypass the pinning.
Let’s see how to replace the hardcoded certificate.
A) Unzip the IPA file with the following command.
unzip test.IPA
B) Go to the binary
cd /Payload/test.app
C) Search for hardcoded certificate via the following command
find . | grep .cer
Note * certificates can be different types also like .pem, .cert etc.
D) Replace All the hardcoded certificates with your burp suite certificate
cp ~/Path_of_Your_burp_certificate ./Full_Path_Of_Hardcoded_Certificate
E) Recompile the application and install the application via Cydia impactor
- Compress the Payload folder with a .zip file extension.
- Rename the above-compressed zip file to .IPA file extension.
- Now install the application via Cydia impactor (it will resign and install the application in the iPhone)
F) Start browsing the application from the iPhone and observe that the traffic will be captured in the burp suite.
3) SSL Pinning Bypass Via Replacing Hard-Coded Sha 256 Hash
Some applications use a hardcoded hash of certificates for implementing SSL pinning in the iOS application. Most of the applications which are built-in Cordova use this technique for implementing SSL pinning.
So, we can simply replace the hardcoded certificate hash value in the iOS application with our burp suite certificate hash and reinstall the application.
Let’s see how to replace the hardcoded certificate’s hash value.
A) Unzip the IPA file with the following command.
unzip test.IPA
B) Go to the following location and look for the hardcoded hash, it might be at a different location also, in my case it was there
cd /Payload/test.app/www/pinning/pinning.json
C) Generate your burp suite certificate hash via the following command
openssl x509 -inform DER -in cacert.cer -out cacert.crt
openssl x509 -in cacert.crt -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
D) Replace our hash value with application hash via any editor.
E) Recompile the application and install the application via Cydia impactor
- Compress the Payload folder with a .zip file extension.
- Rename the above-compressed zip file to .IPA file extension.
- Now install the application via Cydia impactor (it will resign and install the application in the iPhone)
F) Start browsing the application from the iPhone and observe that the traffic will be captured in the burp suite.
4) SSL Pinning Bypass via SSL Kill Switch2
A) Installing SSL Kill Switch
-
Download SSLLillSwitch deb file:
(https://github.com/nabla-c0d3/ssl-kill-switch2/releases) -
Copy the deb file to your iPhone via the following command and enter the default password “alpine”.
scp /Path_Of_Downloaded_deb_file root@your_iphon_ip:/private (Folder where you want to copy the package) - Download Debian Package and Cydia SubstratePreferenceLoader
Download this from Cydia, hopefully, it has already been installed -
Take ssh connection and enter default password “alpine”
ssh root@iphone_ip -
Enter the following command to install the SSL kill Debian package or install it from filza
dpkg -i ssl.deb
B) Go to settings & look for the SSL kill switch application.
C) Click on Disable SSL Certificate and SSL pinning of all the applications will be bypassed.
D) Start browsing the application from the iPhone and observe that the traffic will be captured in the burp suite.
5) Bypassing SSL Pinning via MITM
Some applications traffic can not be captured via burp suite directly in such cases MITM comes into the picture. Instead of capturing the traffic via burp suite, we can use MITM to capture traffic and then send it to the burp suite using MITM.
You can also use MITM with the objection, Frida script, etc. It works many times, in one of my projects I tried a lot to bypass SSL pinning but nothing worked. Then at the end with one Frida script and MITM, I was able to capture the traffic.
i) Install mitmproxy via the following command in MacBookbrew install mitmproxy
ii) Download the MITM certificate in the iPhone
a) Connect the iPhone and Macbook via USB and Enter the below command
mitmproxy
b) Enter the below command in the iPhone browser
Mitm.it (Download the iOS certificate)
iii) Install the MITM certificate on the iPhone
In iPhone navigate to Setting => Install Profile => Setting => Trust certificates => Certificate Trust Settings => Enable mitmproxy
iv) Enter the below command to start the mitmproxy in the Browser.
mitmweb (mitm get open in the browser automatically)
v) Setup MITMProxy for forwarding traffic from the MITM to the burp suite.
a) Enter the below command
mitmweb
b) Go to the option and click on “Edit Options” and click on “set this configuration”
c) Search for mode and add the following line there
upstream:http://127.0.0.1:8888
d) Search for ssl_insecure and enable it
e) Set upstream proxy in burp suite.
Set the IP address and port no in the burp suite which you have set for the upstream in mode option.
f) Start browsing the application from the iPhone and observe that the traffic will be captured in the burp suite.
6) SSL Pinning Bypass via Objection
a) Install Frida Server:
From iPhone open Cydia => Source => Edit => Add => https://build.frida.re => search =>frida =>Install
By default the Frida server is running up on the iPhone, you don’t need to start a Frida server every time.
b) Install objection in MacBook
sudo pip3 install objection
Note* While using objection make sure the application is opened in the device, otherwise objection wouldn’t work.
c) Enter the below command to connect the application to the objection and explore the application.
objection --gadget package_name explore
d) Run the below command to bypass SSL pinning
ios sslpinning disable
e) Start browsing the application from the iPhone and observe that the traffic will be captured in the burp suite.
7) SSL Pinning bypass via Frida
i) Enter the below command to bypass SSL pinning
frida -U -f package_name -l ssl.js --no-pause
U => To use a connected USB device as a target
F => To indicates the package name
L => To load the script
ssl.js =>
(Download the script from codeshare according to your iOS version)
--no-pause => To force the Frida to “not to pause” app execution after injecting the script.
ii) Start browsing the application from the iPhone and observe that the traffic will be captured in the burp suite.
8) SSL Pinning Bypass via Info.Plist modification
Some applications define the pinning rules in the Info.Plist file and set the boolean value. We can modify these boolean values from true to false and bypass the SSL pinning.
i) Go to the binary of the IPA file and open Info.plist file.
ii) Data is present and key-value pair and now search for the keywords like <key>TSKEnforcePinning</key>,<key>NSRequiresCertificateTransparency</key> etc.
iii) Change the value of these from true to false and reinstall the application.
iv) Start browsing the application from the iPhone and observe that the traffic will be captured in the burp suite.
Conclusion
The amount of private and sensitive information that is handled by mobile apps these days makes them a lucrative target of threat actors. In the case of iOS applications, attackers would generally begin with bypassing the SSL/TLS protection layer and gain more information about the functionality and the structure of the apps. That is why in-depth penetration testing becomes a must and knowing the several techniques used by attackers to bypass SSL pinning can be a very proactive start in this direction.
Based on the gained insights, you can always add additional security measures to your app and stay ahead of the attackers.