Four ways to bypass Android SSL. Verification and Certificate Pinning

Mykhailo Antonishyn

Abstract


Gone are the days when mobile applications stoically ignore all manners of SSL errors and allow you to intercept and modify their traffic at will. Instead, most modern applications at least check the presented certificate chains to a valid, trusted certificate authority (CA). All pentesters like to convince the app that our certificate is valid and trusted so we can man-in-the-middle (MITM) it and modify its traffic.


Keywords


SSL-pinning bypass; android application; android application security assessment

References


Four Ways to Bypass Android SSL Verifi-cation and Certificate Pinning, 2020 [Online]. Available: https://blog.netspi.com/four-ways-bypass-android-ssl-verification-certificate-pinning/. Accessed on: May 19, 2020.

All about SSL pinning bypass, 2020 [Online]. Available: https://ninadmathpati.com/all-about-ssl-pinning-bypass/. Accessed on: May 19, 2020.

SSL PINNING: Mobile banking protection on android with ssl certificate, 2020 [Online]. Available: https://www.emaro-ssl.ru/blog/ssl-pinning-for-android/. Ac-cessed on: May 19, 2020.

Xposed Module: Just Trust Me, 2020 [Online]. Available: https://github.com/Fuzion24/JustTrustMe. Accessed on: May 19, 2020.

Xposed Module: SSLUnpinning, 2020 [Online]. Available: https://github.com/ac-pm/SSLUnpinning_Xposed. Accessed on: May 19, 2020.

Android-ssl-bypass, 2020 [Online]. Avail-able: https://github.com/iSECPartners/android-ssl-bypass. Accessed on: May 19, 2020.


Refbacks

  • There are currently no refbacks.


Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.