<aside> 📌 Sommaire
</aside>
SSL pinning, or Certificate Pinning, is a security mechanism used in mobile apps and web browsers to prevent malicious attacks by specifying a predefined SSL/TLS certificate or public key that the app or browser should trust when establishing secure connections.
This mitigates the risk of relying solely on the certificate authorities' trust system. Then as an attacker, it is interesting to bypass it to access more data, possibly sensitive ones.
Basic SSL Pinning bypass takes a few steps :
Install a proxy in the Android emulator’s settings
Import the proxy certificate to the Android settings *(*commonly found under security > Credential Storage)
Intercept the HTTPS traffic or get bullied by SSL Pinning (then see Android Application Patching)
<aside> 💡 Note: if all interception techniques fail on Android, try on iOS. iPhone jailbreak allows SSL Pinning bypass at the system level.
</aside>
In order to intercept traffic using Burp Suite we have to create a new proxy listener in the interface. Under proxy > Proxy Settings > Proxy listener, add a new proxy listening on all interfaces :
This allows us to connect an interception proxy to the emulator. Then we need to install the burp suite proxy certificate authority to bypass SSL Pinning. To do so, we save the burp CA via the proxy parameters.
<aside> 💡 Note: save the file in DER format but use the CER extension. Else the Android mobile device will not accept it.
</aside>
Finally, we drag and drop the certificate on the emulator windows. After installing it we can capture SSL traffic from our target app.
We can analyse traffic request by request using intercept on or just use the app and leave the HTTP history to capture anything leaving us to analyse it later.
Proxyman is a simple tool but exists only on MacOS. Still, the only step required is to install the proxy certificate via the built-in tool automatically: