Android 7 SSL Inspection
#1
Anyone have any tricks for inspecting SSL content on Android 7?

Ever since this update, Google have prevented apps from accepting user added 'trusted' certificates, and they drop any connections signed by untrusted certificates. This means no more MitM proxying!

Following from this link: https://blog.netspi.com/four-ways-bypass...e-pinning/

I've been de-compiling, adding the network_security_config.xml to allow all user added certificates (and the reference in AndroidManifest.xml), re-compiling... But then, nothing. My app refuses to connect over SSL.

The app I was targeting may have had other Certificate Pinning code, so I verified this on the Wikipedia app, to the same effect.

Anyone had any similar experiences?
Reply
#2
Ah, okay.

So, I made a faulty assumption that Wikipedia wasn't doing Certificate Pinning!

The reason both failed to accept the user trusted certificate even with the addition of the security config, was because they are internally referencing their own certificate fingerprint.

The solution was to use the Frida framework to tap into the machine code at the entry .smali file, which then allows me to insert my own code - namely, to redefine the parameters of the Certificate Pinning functions.

It was an interesting journey so I will write a tutorial up about it soon. I think it will be reasonably valuable since it is now the only way to inspect SSL content on a non-rooted Android 7+.
Reply
#3
Looking forward to the tutorial man! Actually I have an android app I want to reverse engineer. I'll see if I can learn something by this.
Reply
#4
I've had luck inspecting an Android app with fiddler where Burp Suite had issues doing the same thing.
Reply
#5
(05-24-2018, 12:58 AM)swiss Wrote: I've had luck inspecting an Android app with fiddler where Burp Suite had issues doing the same thing.

Right, but you would have been using Android < 7 for that?

Android 7+ is architectured in a way that applications will not trust your custom CA certificates, which is a requirement for SSL inspection.

iOS has had this for a while, it's just annoying that mobile devices are becoming increasingly harder to attack >_<
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Best approach for a site with no SSL Majin-Buu 7 14,548 01-02-2021, 01:44 PM
Last Post: 9ys
  Check if your Android device is vulnerable overfl0wN 0 9,732 11-14-2015, 02:59 PM
Last Post: overfl0wN