15

Charles Proxy website comments that:

Note that some apps implement SSL certificate pinning which means they specifically validate the root certificate. Because the app is itself verifying the root certificate it will not accept Charles's certificate and will fail the connection. If you have successfully installed the Charles root SSL certificate and can browse SSL websites using SSL Proxying in Safari, but an app fails, then SSL Pinning is probably the issue.

Just to be certain, is it possible to use an HTTP monitor like Charles Proxy (or another monitor) even though a mobile app uses SSL certificate pinning?

Stanford Wong
  • 339
  • 1
  • 3
  • 13
  • Pinning means that you validate a selected set of certificates or their public key. You can have multiple pins from root to leaf. – Droid Teahouse Jan 01 '19 at 02:56

2 Answers2

13

As Steffen said you might need to patch the app to disable certificate pinning. Most mobile apps don't use it though :) Thus you just need to enable SSL connections with self-signed certificate. To allow that with Android application do following. First Download apktool. Then unpack APK file (according to apktool 2.4.1):

java -jar apktool.jar d app.apk

Modify AndroidManifest.xml by adding this attribute to application element:

android:networkSecurityConfig="@xml/network_security_config"

Create file res/xml/network_security_config.xml with following content:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
   <base-config>
      <trust-anchors>
         <certificates src="system" />
         <certificates src="user" />
      </trust-anchors>
   </base-config>
</network-security-config>

Generate keys to sign APK:

keytool -genkey -alias keys -keystore keys -keyalg DSA

Build patched APK:

java -jar apktool.jar b app -o app_patched.apk --use-aapt2

Sign APK file:

jarsigner -verbose -keystore keys app_patched.apk keys

If necessary convert APK to JAR for further analysis: d2j-dex2jar.sh app.apk. More information: Network security configuration.

Zombo
  • 1
  • 62
  • 391
  • 407
expert
  • 29,290
  • 30
  • 110
  • 214
6

Certificate pinning means that the application explicitly wants to get the original certificate. If you do have the original certificate and the associated private key (which usually means that the you control the server the application is using) then it is possible to be a man in the middle (i.e. HTTP monitor) even for applications using certificate pinning.

Of course your HTTP monitoring application must support specifying a fixed certificate. It looks to me like Charles Proxy does not support this. But mitmproxy supports providing a fixed certificate for specific domains.

If you don't have access to the expected certificate and the matching key then you cannot give the expected certificate to the application. The only hope is then to somehow disable the pinning in the application itself by somehow hacking the code. Use your favorite search engine and search for "bypass pinning android" or similar to get a variety of non-trivial ways how one can try to make the application believe that it got the expected certificate.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • Thanks Steffen. But if I do not control the server that app is using, then it's not possible correct? – Stanford Wong Oct 17 '18 at 20:20
  • @StanfordWong: if you don't have access to the servers certificate and private key then you can't give the application the certificate it explicitly expects - thus: no. – Steffen Ullrich Oct 17 '18 at 20:42
  • @StanfordWong: As Steffen mentioned, you have to hack the app. This may or may not be easy on a rooted android phone. Some apps specifically look for rootkits and refuse to run if they find one. This puts you in the measure-countermeasure battle with the app developer since you can then fool their root t kit finder, but they can then look for your rootkit-finder-fooler, ad infinitum. – President James K. Polk Oct 17 '18 at 23:38
  • @SteffenUllrich: off-topic,but just to be clear.. is it the private key or public key that we must posses in case we are implementing pinning ? – humblePilgrim Jan 24 '19 at 05:08
  • @humblePilgrim: pinning is done against the public key or the certificate which contains the public key. – Steffen Ullrich Jan 24 '19 at 05:20
  • @SteffenUllrich SSL pinning is done against any data in certificate A certificate includes a public key as well. – Blazej SLEBODA May 11 '21 at 04:49
  • @BlazejSLEBODA: There is no "SSL pinning". There is pinning __in the context of SSL__ and it might be __certificate__ pinning (covering the whole certificate) or __public key__ pinning (covering only the public key, ignoring the rest of the certificate). Both are in use. For the latter see for example the deprecated [HPKP](https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning) feature. Public key pinning has the advantage that it continues to work if the certificate gets renewed (same public key, different expiration). – Steffen Ullrich May 11 '21 at 05:04
  • @SteffenUllrich SSL pining is a colloquial name. When I reference to "against any data in certificate" then I am thinking of certificate metadata fields and a included public key as well – Blazej SLEBODA May 11 '21 at 10:20
  • @BlazejSLEBODA: Again, there are two forms of pinning - one against the public key __only__ and one against the whole certificate, i.e. key and metadata. Both are in use. – Steffen Ullrich May 11 '21 at 11:29
  • @SteffenUllrich "certificate metadata fields and a included public key as well" makes three forms of pinning: 1. certificate metadata fields 2. public key 3. certificate metadata fields + public key – Blazej SLEBODA May 11 '21 at 16:32
  • @BlazejSLEBODA: Pinning against the metadata fields only would be stupid since authentication is only provided with the public key. Such a pinning could thus be easily bypassed by some attacker, since one can trivially created a new certificate with the same metadata. Thus, the public key need to be included in the pinning - either with metadata (i.e. the whole certificate) or without (only the public key). – Steffen Ullrich May 11 '21 at 17:21
  • @SteffenUllrich In your previous answer you say that pinning is done against a public key or a certificate – Blazej SLEBODA May 11 '21 at 18:17
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/232246/discussion-between-steffen-ullrich-and-blazej-sleboda). – Steffen Ullrich May 11 '21 at 18:27