TL;DR
Public key pinning adds a layer of security to apps by verifying the server’s certificate against a pre-defined list. This guide shows how attackers can bypass this protection using techniques like man-in-the-middle attacks, outdated app versions, and tools that intercept and modify network traffic.
Understanding Public Key Pinning
Public key pinning prevents malicious certificates from being accepted by an application. Instead of trusting any certificate authority (CA), the app only trusts specific certificates or public keys. If a server presents a certificate not on the trusted list, the connection is refused.
How Attackers Bypass Pinning
- Man-in-the-Middle (MitM) Attacks: This is the most common approach.
- Intercept Traffic: Use a proxy like Burp Suite or mitmproxy to intercept communication between the app and the server.
- Generate a Fake Certificate: Create a certificate for the target domain that matches the pinned public key (or one of them). Tools can automate this process.
- Install the Fake Certificate: Add the fake certificate to your proxy’s trust store and/or the device’s trusted certificates (requires root access or user intervention on some devices).
- Forward Traffic: Configure the proxy to forward traffic to the real server after presenting the fake certificate.
- Exploiting Weak Pinning Implementations: Some apps implement pinning incorrectly.
- Pin Validation Logic Flaws: Check if the app validates all pins correctly or has vulnerabilities in its validation process.
- Incomplete Pin Sets: If an app only pins a single certificate, it’s easier to bypass by obtaining that certificate and using it for your fake certificate.
- Outdated App Versions: Older versions of apps may have weaker or no pinning implementations.
- Downgrade the App: If possible, install an older version of the app that doesn’t use pinning or has a less secure implementation.
- Target Vulnerable Builds: Focus attacks on app versions known to be susceptible to pinning bypasses.
- Using Tools for Automated Pinning Bypass: Several tools simplify the process.
- Frida: A dynamic instrumentation toolkit that allows you to inject JavaScript code into running processes, including apps, and modify their behaviour at runtime. You can use Frida to bypass pinning checks directly in memory.
frida -U -f com.example.app -l bypass_pinning.js - Objection: A powerful Android app analysis tool that includes features for bypassing SSL pinning and other security measures.
objection explore -g com.example.appThen, within the Objection shell:
android sslpinning disable
- Frida: A dynamic instrumentation toolkit that allows you to inject JavaScript code into running processes, including apps, and modify their behaviour at runtime. You can use Frida to bypass pinning checks directly in memory.
- Certificate Transparency (CT) Issues: If a certificate isn’t properly logged in CT logs, it might be easier to bypass pinning.
- Check CT Logs: Use tools like crt.sh to verify if the server’s certificates are correctly logged in CT logs.
- Exploit Missing Logs: If a certificate is missing from CT logs, you may be able to create a fake certificate without being detected by pinning checks.
Mitigation
Developers can strengthen public key pinning by:
- Pin Multiple Certificates: Pin multiple certificates, including backup certificates, to avoid issues with certificate rotation.
- Implement Robust Validation: Ensure the app validates all pins correctly and handles invalid certificates gracefully.
- Regularly Update Pins: Keep the pinned certificate list up-to-date with any changes in the server’s certificates.
- Use a Secure Pinning Library: Utilize well-vetted pinning libraries that provide secure and reliable implementations.