Four ways to bypass Android SSL. Verification and Certificate Pinning

Authors

DOI:

https://doi.org/10.32347/tit2020.31.0302

Keywords:

SSL-pinning bypass, android application, android application security assessment

Abstract

Gone are the days when mobile applications stoically ignore all manners of SSL errors and allow you to intercept and modify their traffic at will. Instead, most modern applications at least check the presented certificate chains to a valid, trusted certificate authority (CA). All pentesters like to convince the app that our certificate is valid and trusted so we can man-in-the-middle (MITM) it and modify its traffic.

References

Four Ways to Bypass Android SSL Verifi-cation and Certificate Pinning, 2020 [Online]. Available: https://blog.netspi.com/four-ways-bypass-android-ssl-verification-certificate-pinning/. Accessed on: May 19, 2020.

All about SSL pinning bypass, 2020 [Online]. Available: https://ninadmathpati.com/all-about-ssl-pinning-bypass/. Accessed on: May 19, 2020.

SSL PINNING: Mobile banking protection on android with ssl certificate, 2020 [Online]. Available: https://www.emaro-ssl.ru/blog/ssl-pinning-for-android/. Ac-cessed on: May 19, 2020.

Xposed Module: Just Trust Me, 2020 [Online]. Available: https://github.com/Fuzion24/JustTrustMe. Accessed on: May 19, 2020.

Xposed Module: SSLUnpinning, 2020 [Online]. Available: https://github.com/ac-pm/SSLUnpinning_Xposed. Accessed on: May 19, 2020.

Android-ssl-bypass, 2020 [Online]. Avail-able: https://github.com/iSECPartners/android-ssl-bypass. Accessed on: May 19, 2020.

Published

2020-09-03