AppMon: SSL Pinning Bypass

TL;DR

This guide shows how to bypass SSL pinning in applications monitored by AppMon. We’ll cover identifying pinned certificates, using proxies like Burp Suite or OWASP ZAP to intercept and modify traffic, and then re-establishing the connection with a trusted certificate.

Understanding SSL Pinning

SSL pinning is a security technique where an application only trusts specific certificates (or their public keys) instead of relying on Certificate Authorities. This prevents man-in-the-middle attacks, but can make testing and debugging difficult if you need to intercept the traffic.

Step 1: Identify SSL Pinning

1. AppMon Configuration Check: First, check your AppMon configuration for any explicit SSL pinning settings. Look in the ‘Diagnostics’ or ‘Security’ sections of the monitored application’s profile within the AppMon interface.
2. Network Traffic Analysis: Use a network monitoring tool (like Wireshark) to capture traffic from the app while it connects to its server.
• Look for certificates being presented during the TLS handshake.
• If the application only accepts specific certificate fingerprints, SSL pinning is likely in place.
3. Decompile/Reverse Engineer (if necessary): If you can’t find settings or see clear evidence in network traffic, you might need to decompile the app’s code and search for references to certificate pinning libraries or methods. Common libraries include TrustKit (iOS) or OkHttp (Android).

Step 2: Setting up a Proxy

We’ll use Burp Suite as an example, but OWASP ZAP works similarly.

1. Download and Install Burp Suite: Download the Community Edition from PortSwigger and install it.
2. Configure Burp’s Proxy Listener: By default, Burp listens on 127.0.0.1:8080. Ensure this port is accessible from your device or emulator.
3. Configure the App to Use the Proxy: This varies depending on the platform:
   • Android: Configure Wi-Fi settings to use a manual proxy with Burp’s IP address and port. You may need to install a trusted certificate for Burp in your Android device’s trust store.
   • iOS: Similar to Android, configure the Wi-Fi network to use a manual proxy. Install the Burp Suite CA certificate on your iOS device through Safari (Burp provides instructions).

Step 3: Intercepting and Modifying Traffic

1. Start AppMon Monitoring: Begin monitoring the application with AppMon. This is crucial to observe how the bypass affects data collection.
2. Capture Traffic in Burp Suite: Launch the app and initiate a network connection (e.g., login, data retrieval). Burp should intercept the traffic.
3. Locate the TLS Handshake: In Burp’s Proxy history, find the initial HTTPS request that establishes the secure connection.
4. Replace the Certificate:
   • In Burp Suite’s ‘Proxy’ -> ‘Options’ tab, go to ‘SSL Settings’.
   • Under ‘Certificate Authority’, select your own trusted CA certificate (e.g., one generated by Burp itself).
   • Burp will now attempt to replace the server’s certificate with yours during the TLS handshake.

Step 4: Re-establishing Connection and Verifying Bypass

1. Forward the Modified Request: In Burp, forward the modified request to the server.
2. Check for Successful Connection: If SSL pinning was bypassed, the app should connect successfully using your trusted certificate. You’ll see the connection established in Burp Suite.
3. Verify AppMon Data Collection: Crucially, confirm that AppMon continues to collect data from the application after bypassing the pinning. Check for transaction traces, error logs, and performance metrics within the AppMon interface. If data collection is disrupted, you may need to adjust your proxy settings or investigate further.

Important Considerations

• Security Risks: Bypassing SSL pinning weakens security. Only do this in controlled testing environments.
• App Behavior: Some apps have more robust pinning implementations and may detect proxy usage or certificate changes, leading to crashes or unexpected behavior.
• Certificate Trust Store: Ensure your trusted CA certificate is properly installed on the device/emulator.