I am developing a finance app where I have implemented the SSL pinning. My software testing team bypassed my SSL pinning approach. How can I implement the complex SSL Pinning method in android?
Asked
Active
Viewed 600 times
2 Answers
0
I think there are some solutions:
Anti repack your apk: because if a hacker want to bypass SSL pinning, he have to repack your apk using apktool. You can do that by check your apk signature, if not match, exit your app.
Move your code of SSL pining to NDK and build .so lib to use, hacker may be harder to modify .so file to bypass.
user1746024
- 1
- 1
0
General speaking, there's two ways to bypass SSL pining:
- Hooking to avoid SSL check or changing the result i.e., the return value of checker function. To this aim Frida is a popular tool.
- Certificate-related data (like public key) manipulation is application assets or in the application code
Here, you can find more explanation about above methods.
To defeat against aforementioned attacks, one way is code/string obfuscation.
MRazian
- 88
- 1
- 13