Hello Security Champs!! As you are aware, intercepting HTTPS traffic is a necessity in mobile security assessment. In Android Nougat and latest version, apps don’t trust client certificates anymore :-(
I was facing challenge while performing security assessment. I got error message “Received fatal alert: certificate_unknown” in burp suite. Have you got one?
Testing app was showing java.sercurity.cert.CertPathValidatorExeption error.
After google for while I came across amazing tool for bypassing SSL Pinning.
Prerequisite are as follows
- Rooted android device/ testing emulator
- Frida framework
- Objection framework
- ADB tool
- Proxy tool
I have already installed CA Cert on your device.
Step 1: Connect android device using ADB
I have connected android device with computer using USB cable. Making sure that USB debugging enabled in android.
Of course! no need of cable for emulators like Genyotion :-P
Connection test using adb command
adb devices
If no device shown is not connected then use connect command
adb connect <IP of Android device>
Step 2: Copy Frida Server to android device
Download frida-server from github. And copy it to tmp directory only of android device.
adb push frida-server-12.8.19-android-arm /data/local/tmp
Step3: Start frida server with commands
We have frida server in tmp directory. Change permission of file and start it.
adb shell
cd /data/local/tmp
ls -ltr
chmod 755 frida-server-12.9.7-android-x86
exit
adb shell “/data/local/tmp/frida-server-12.9.7-android-x86 &”
In order to ensure everything is working fine, check frida-ps -U command.
Step 4: Bypass SSL Pinning using Objection
Run command to open objection framework
objection –gadget <app package name> explore
In Objection framework run command to bypass ssl pinning
android sslpinning disable
Hurreyy!! Error is resolved. I am able to intercept api traffic.
Conclusion:
- Using Objection api traffic interception issues can be resolved
- Application SSL Pinning is implemented by developer to enhance security of app and its api