BLOG
Table of Content
- Posted on: Oct 14, 2021
- By Vaishali Nagori
- 8 Mins Read
- Last updated on: Oct 3, 2024
What is SSL Pinning?
SSL Pinning is a technique we use on the client side to avoid a man-in-the-middle attack by validating the server certificates. The developers embed (or pin) a list of trustful certificates in the client application during development and use them to compare against the server certificates during runtime.
If there is a mismatch between the server and the local copy of certificates, the connection will simply be disrupted, and no further user data will be sent to that server. This enforcement ensures that user devices communicate only with dedicated, trustful servers.SSL Pinning prevents a man-in-the-middle attack, which means an attacker can not intercept the traffic and modify the data. If an attacker can not intercept the traffic, the application automatically prevents many server-side vulnerabilities. Because an attacker can not perform API-level test cases, implementing SSL is very important.
Basic approach for bypassing SSL Pinning Bypass
The basic approach for bypassing SSL pinning is to analyze the application's binary to determine the language it was written in. Then, choose a language-specific way to bypass the SSL pinning of that iOS application. For example, if an application is built using Flutter or Xamrian, we will use the Hotspot method.
Different ways of SSL Bypass
1) Hotspot method (Flutter & Xamarin applications)
Flutter & Xamarin application does not respect system proxy, which means that if you set a proxy on your iPhone and try to capture the traffic, the application will throw an error or be unable to capture the traffic. This is why the hotspot approach performs API-level penetration testing of these types of applications.
Before starting, first Identify whether the application is built in Flutter or Xamarin
a) Unzip the IPA file:
unzip test.ipa
b) Go To the "Framework" directory or use the grep command and search for flutter
cd Payloads/test.app/framework
Requirements:
- One mobile device(Android/iOS) to share the internet via Bluetooth tethering.
- Jailbroken/Non-Jailbroken iOS device
- MacBook
Steps to capture traffic via hotspot method
A) Share the internet connection via Bluetooth tethering
Turn on mobile data = > turn on mobile Bluetooth => connect to the MacBook => turn on Bluetooth tethering from setting in mobile device
(Try to browse some data in MacBook to confirm that Bluetooth tethering is done properly)
B) Share internet connection from MacBook to iPhone
a) In MacBook navigate to System preferences => sharing => internet sharing => share your connection from => bluetooth PAN => To computer using => wifi
b) In iPhone navigate to Wifi => connect to the Macbook's wifi(Try to browse some data in iPhone to confirm that this is done properly)
C) Forward the iPhone traffic to the burp suite
Create the Pf.rules file with the following data
rdr pass on bridge100 inet proto tcp from any to any -> 127.0.0.1 port 8080
Run the below two command
sudo pfctl -f pf.rules
sudo sysctl -w net.inet.ip.forwarding=1
D) Turn on the invisible proxy option in the burp suite
Open burp suite => proxy => Options => edit => Request handling => turn on support invisible peroxy
E) Start browsing the application from the iPhone and observe that the traffic will be captured in the burp suite
Related Blog: Everything You Need to Know about iOS Jailbreak Detection Bypass
2) SSL Pinning Bypass via replacing hard-coded certificate
Some applications use a hardcoded certificate to implement SSL pinning in iOS applications. The application will check whether the certificate matches and then only sends the traffic to the server.
So, we'll replace the hardcoded certificate in the iOS application with our burp suite certificate and reinstall the app, and we'll be able to bypass the pinning.
Let's see how to replace the hardcoded certificate.
A) Unzip the IPA file with the following command.
unzip test.IPA
B) Go to the binary
cd /Payload/test.app
C) Search for hardcoded certificate via the following command
find . | grep .cer
Note * certificates can be different types also like .pem, .cert etc.
D) Replace All the hardcoded certificates with your burp suite certificate
cp ~/Path_of_Your_burp_certificate ./Full_Path_Of_Hardcoded_Certificate
E) Recompile the application and install the application via Cydia impactor
- Compress the Payload folder with a .zip file extension.
- Rename the above-compressed zip file to .IPA file extension.
- Now install the application via Cydia Impactor (it will resign and install the application in the iPhone)
F) Start browsing the application from the iPhone and observe that the traffic will be captured in the burp suite.
3) SSL Pinning Bypass Via replacing hard-coded Sha 256 hash
Some applications use a hardcoded certificate hash to implement SSL pinning in the iOS application. Most of the applications which are built-in Cordova use this technique for implementing SSL pinning.
So, we can simply replace the hardcoded certificate hash value in the iOS application with our burp suite certificate hash and reinstall the application.
Let's see how to replace the hardcoded certificate's hash value.
A) Unzip the IPA file with the following command.
unzip test.IPA
B) Go to the following location and look for the hardcoded hash, it might be at a different location also, in my case it was there
cd /Payload/test.app/www/pinning/pinning.json
C) Generate your burp suite certificate hash via the following command
openssl x509 -inform DER -in cacert.cer -out cacert.crt
openssl x509 -in cacert.crt -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
D) Replace our hash value with application hash via any editor.
E) Recompile the application and install the application via Cydia impactor
- Compress the Payload folder with a .zip file extension.
- Rename the above-compressed zip file to .IPA file extension.
- Now install the application via Cydia impactor (it will resign and install the application in the iPhone)
F) Start browsing the application from the iPhone and observe that the traffic will be captured in the burp suite.
4) SSL Pinning Bypass via SSL Kill Switch2
A) Installing SSL Kill Switch
-
Download SSLLillSwitch deb file:
(https://github.com/nabla-c0d3/ssl-kill-switch2/releases) -
Copy the deb file to your iPhone via the following command and enter the default password "alpine".
scp /Path_Of_Downloaded_deb_file root@your_iphon_ip:/private (Folder where you want to copy the package) - Download Debian Package and Cydia SubstratePreferenceLoader
Download this from Cydia, hopefully, it has already been installed -
Take ssh connection and enter default password "alpine"
ssh root@iphone_ip -
Enter the following command to install the SSL kill Debian package or install it from filza
dpkg -i ssl.deb
B) Go to settings & look for the SSL kill switch application.
C) Click on Disable SSL Certificate and SSL pinning of all the applications will be bypassed.
D) Start browsing the application from the iPhone and observe that the traffic will be captured in the burp suite.
5) Bypassing SSL Pinning via MITM
Some applications traffic can not be captured via burp suite directly in such cases MITM comes into the picture. Instead of capturing the traffic via burp suite, we can use MITM to capture traffic and then send it to the burp suite using MITM.
You can also use MITM with the objection, Frida script, etc. It works many times, in one of my projects I tried a lot to bypass SSL pinning but nothing worked. Then at the end with one Frida script and MITM, I was able to capture the traffic.
i) Install mitmproxy via the following command in MacBookbrew install mitmproxy
ii) Download the MITM certificate in the iPhone
a) Connect the iPhone and Macbook via USB and Enter the below command
mitmproxy
b) Enter the below command in the iPhone browser
Mitm.it (Download the iOS certificate)
iii) Install the MITM certificate on the iPhone
In iPhone navigate to Setting => Install Profile => Setting => Trust certificates => Certificate Trust Settings => Enable mitmproxy
iv) Enter the below command to start the mitmproxy in the Browser.
mitmweb (mitm get open in the browser automatically)
v) Setup MITMProxy for forwarding traffic from the MITM to the burp suite.
a) Enter the below command
mitmweb
b) Go to the option. Click on "Edit Options" and on "set this configuration"
c) Search for mode and add the following line there
upstream: http://127.0.0.1:8888
d) Search for ssl_insecure and enable it
e) Set upstream proxy in burp suite.
Set the IP address and port no in the burp suite which you have set for the upstream in mode option.
f) Start browsing the application from the iPhone and observe that the traffic will be captured in the burp suite.
6) SSL Pinning Bypass via Objection
a) Install Frida Server:
From iPhone open Cydia => Source => Edit => Add => https://build.frida.re => search =>frida =>Install
By default the Frida server is running up on the iPhone, you don't need to start a Frida server every time.
b) Install objection in MacBook
sudo pip3 install objection
Note* While using objection make sure the application is opened in the device, otherwise objection wouldn't work.
c) Enter the below command to connect the application to the objection and explore the application.
objection --gadget package_name explore
d) Run the below command to bypass SSL pinning
ios sslpinning disable
e) Start browsing the application from the iPhone and observe that the traffic will be captured in the burp suite.
7) SSL Pinning bypass via Frida
i) Enter the below command to bypass SSL pinning
frida -U -f package_name -l ssl.js --no-pause
U => To use a connected USB device as a target
F => To indicates the package name
L => To load the script
ssl.js =>
(Download the script from codeshare according to your iOS version)
--no-pause => To force the Frida to "not to pause" app execution after injecting the script.
ii) Start browsing the application from the iPhone and observe that the traffic will be captured in the burp suite.
8) SSL Pinning Bypass via Info.Plist modification
Some applications define the pinning rules in the Info.Plist file and set the boolean value. We can modify these boolean values from true to false and bypass the SSL pinning.
i) Go to the binary of the IPA file and open Info.plist file.
ii) Data is present and key-value pair and now search for the keywords like <key>TSKEnforcePinning</key>,<key>NSRequiresCertificateTransparency</key> etc.
iii) Change the value of these from true to false and reinstall the application.
iv) Start browsing the application from the iPhone and observe that the traffic will be captured in the burp suite.
Conclusion
The amount of private and sensitive information handled by mobile apps these days makes them a lucrative target of threat actors. In the case of iOS applications, attackers would generally begin by bypassing the SSL/TLS protection layer and gaining more information about the apps' functionality and structure. That is why in-depth penetration testing becomes a must, and knowing the several techniques used by attackers to bypass SSL pinning can be a very proactive start in this direction.
Based on the insights gained, you can always add additional security measures to your app and stay ahead of attackers.
FAQs
1. Are there any risks associated with bypassing SSL pinning in mobile apps?
Yes, bypassing SSL pinning in mobile apps can expose apps to considerable risks. Some of them are:
- Man-in-the-Middle (MITM) attacks: SSL pinning prevents attackers from intercepting and manipulating data exchanged between the app and server. This can expose sensitive information like login credentials, payment details, or personal data.
- Data breaches: Hackers can decrypt and steal data by bypassing SSL pinning, which weakens encryption. This may result in major breaches and financial or legal consequences.
- Unauthorized API access: Hackers can intercept API requests, modify them, or inject malicious code, potentially gaining unauthorized access to back-end systems.
- Loss of user trust: If users' sensitive data is compromised, it can severely damage the app and company's reputation, resulting in loss of trust and user abandonment.
2. Can SSL pinning be bypassed without rooting or jailbreaking a device?
Yes, SSL pinning can be bypassed on non-rooted devices, but it's tricky. Attackers often use dynamic instrumentation tools (e.g., Frida or Xposed) to manipulate the app's behavior at runtime and bypass. These tools can intercept SSL certificates and bypass pinning checks without modifying the device.
3. What tools or frameworks commonly bypass SSL pinning in iOS apps?
Frida is one of the most popular tools. It allows attackers to inject scripts and bypass SSL pinning checks without modifying the app’s code. Another widely used tool is Objection, which is built on Frida. It makes it easier to automate SSL pinning bypass with minimal effort.
SSL Kill Switch is a framework designed to disable SSL pinning in iOS apps by patching security functions.
4. Are there any best practices for developers to enhance the security of mobile apps against SSL pinning bypass attacks?
Follow the below best practices to enhance mobile app security against SSL pinning bypass attacks.
First, implement strong obfuscation techniques to make it harder for attackers to reverse-engineer the app’s code. Use certificate transparency and public key pinning instead of hardcoding certificates, ensuring real-time validation. Regularly rotate certificates and keys to reduce the risk of misuse.
Then integrate runtime security tools that detect debugging or tampering attempts. Finally, conduct security audits and penetration testing to identify and address vulnerabilities before attackers can exploit them.
Vaishali Nagori
Subscribe now for growth-boosting insights from Appknox
We have so many ideas for new features that can help your mobile app security even more efficiently. We promise you that we wont mail bomb you, just once in a month.