15

I've spent the past 4 months trying to bypass certificate pinning in the Facebook android application so I can understand how it works, but I'm having trouble doing so.

I have tried using android SSL trust Killer and cydia substrate, but there seems to be some other verification mecanism. I have tried altering the smali code as explained here:

http://blog.dewhurstsecurity.com/2015/11/10/mobile-security-certificate-pining.html

I was able to view two requests (one of which is shown in the last screenshot of the provided link), however the app seems to apply some other protection mecanism because when trying to login to an account, it gives an error message saying: "ssl3_get_server_certificate certificate verify failed"

I have tried every public tutorial I could find online to no avail, I would appreciate any input on how to do this.

I'd also be happy to provide the decompiled source code, apk, and the modified apk if needed.

John Avery
  • 151
  • 1
  • 1
  • 6
  • Patch the java code to ignore pinning. The tutorial you linked explains how. – Vitaly Osipov Mar 15 '16 at 07:06
  • I followed that tutorial but as I said there is still some other verification mecanism that I can't find. – John Avery Mar 15 '16 at 09:35
  • 1
    Read the decompiled code, search for the error message. Patch the logic out. Recompile and re-sign. – Vitaly Osipov Mar 16 '16 at 00:29
  • The error message doesn't appear in the decompiled code. I've been trying to modify parts of the code and recompile & resign to test it out for the past 4 months and I still am, but I still haven't made any breakthrough yet, hence my post here. – John Avery Mar 17 '16 at 19:27
  • 1
    Sorry, this is an error coming from SSL, not the app itself. You might end up having to recompile SSL libraries for your Android, or do something along the lines of https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2015/january/bypassing-openssl-certificate-pinning-in-ios-apps/. I am not too familiar with how pinning is set up in client code, but I bet there are ways to disable it even without replacing SSL libs. Nop it all out, not just the parts described in the blog post :) – Vitaly Osipov Mar 18 '16 at 21:42
  • @JohnAvery did you figure it out? – Arya Aug 03 '16 at 19:40
  • @Arya no my attempts weren't successful. I believe frida as suggested by lulzpwner would be able to bypass it, however I wasn't able to try it out due to the following reasons: frida only supports ARM, Google's emulator is too slow, frida doesn't work on x86 emulators even with ARM translation. I tried using my android device but I faced an error I couldn't find a solution to. – John Avery Aug 03 '16 at 23:55
  • @JohnAvery Could it be possible that the Facebook app is ignoring the Android proxy settings? maybe that is the main issue? – Arya Aug 20 '16 at 10:17
  • That's exactly what it does, it only accepts trusted certificates that are stored somewhere inside the app. – John Avery Aug 20 '16 at 19:31
  • @JohnAvery The proxy settings and the trusted certificates are a different issues. Maybe you have done the certificate unpinning correctly, but the traffic is not being forced through the proxy since you are using the built in Android proxy setting. The built in proxy setting does not guarantee that the traffic will pass through the proxy. Apps can ignore the built in proxy setting. – Arya Aug 20 '16 at 21:41
  • Sorry, I was in a hurry and didn't read your question correctly. I have tried apps that force all traffic through the specified proxy and also tried forcing all the traffic coming from the android emulator through the proxy before attempting unpinning, so I'm sure the problem is caused by the pinning. – John Avery Aug 21 '16 at 20:03

1 Answers1

9

Use Xposed. Learn the API, is the way you should hook & manipulate Android apps.

  • Xposed + JustTrustMe

Xposed module (thx Fuzion24). The method calls you're looking for are in the below source file:

https://github.com/Fuzion24/JustTrustMe/blob/master/app/src/main/java/just/trust/me/Main.java

After you learn Xposed, move to Frida, use it and study it. Then you will be ready to play with the run-time modification big kids :-)

lulzpwner
  • 91
  • 1
  • 1
    I installed Xposed and JustTrustMe and tried it but the pinning is still there. According to JustTrustMe explanation on github, it should have worked, so I'm assuming there is a custom pinning functionality implemented.

    Thanks for your suggestion, I will try and make time to study this. If you have any book/tutorial recommendations to get me started please let me know.

     – John Avery Mar 17 '16 at 19:37
  • JustTrustMe worked for me, but I needed to reboot after installing and activating the module. – jcady May 08 '17 at 21:14