Bypassing SSL Pinning for Android Application Pentesting

This article will cover-up some techniques on how our GLSB Red-Teaming analyze request on Android APK application. The mobile applications often send sensitive data through POST or GET requests. So on today’s tutorial, we will show up on how we bypassing the Android SSL Pinning. A little bit introduction to SSL Pinning

An app can further protect itself from fraudulently issued certificates by a technique known as pinning. This is basically using the example provided in the unknown CA case above to restrict an app’s trusted CAs to a small set known to be used by the app’s servers. This prevents the compromise of one of the other 100+ CAs in the system from resulting in a breach of the apps secure channel.
https://developer.android.com/training/articles/security-ssl#Pinning

Tools Required

APK Easy Tools (https://forum.xda-developers.com/android/software-hacking/tool-apk-easy-tool-v1-02-windows-gui-t3333960)
Rooted Android (Mine currently on Android 7.0 Nougat)
Text Editor (Mine Sublime)
Additional Tools: Xposed Framework, SSL Unpinning Module

Step #1

Using online tools, we downloaded the APK file using https://apkcombo.com/en-my/apk-downloader/ as our example here is StormX. Once APK has been downloaded, we need to decompile the APK using APK Easy Tool so we can edit it. Decompiled code will be found at C:\Users\<redacted>\Documents\APK Easy Tool\1-Decompiled APKs

Step #2

Fire up your text editor and add the project folder. We only touch 1 main file (AndroidManifest.xml) and create one new file (/res/xml/network_security_config). Here is what we touch.

AndroidManifest.xml
Add this code to <application></application> tag.

android:networkSecurityConfig="@xml/network_security_config"

/res/xml/network_security_config
Add this code to the file.

<?xml version="1.0" encoding="utf-8"?> 
  <network-security-config> 
    <base-config> 
      <trust-anchors> 
        <certificates src="system" /> 
        <certificates src="user" /> 
      </trust-anchors> 
    </base-config> 
</network-security-config>

Step #3

Once it done, using APK Easy Tool recompile back the code to .APK. The edited APK file will be created at C:\Users\<redacted>\Documents\APK Easy Tool\2-Recompiled APKs

Step #4

Install the apk to your rooted Android phone and fire up any request any web debugging proxies such as Burp or Charles. From this, you can see all request that going through the application and use your hejes creativity to explore from here 🙂

Explore more on our Red-Teaming penetration test at

GLSB RED TEAMING

Hope this might help you to explore more on Android Penetration Test. If you have any suggestions or questions, feel free to contact us.

You Might Also Like

Security Awareness : Laptop Checklist

Still WHY .MY Government Using Expired Certificate?

CentOS x64 Kernel Checker Script

Leave a Reply Cancel reply