Intercepting SSL Pinned Connections on Android
📌

Intercepting SSL Pinned Connections on Android

Reverse engineering crappy IoT apps is a hobby of mine but a lot of them have started to pin certificates so you cannot see what they are doing behind the scenes. I have put this tutorial together to show how to bypass their concerns on Android 😉.

About the Author

My name is Josh Mulliken and I am a Product Security Engineer at Red Hat. I also maintain an integration for Home Assistant that allows users to control Wyze devices.

The code for that can be found on Github 👇

Feel free to visit my site if you want to connect!

Requirements

  • OWASP Zap
  • Frida
  • Rooted Android Phone
  • ⚠ī¸

    Since the app's we are interested in are not debuggable we have to be root

Getting Started

Installing Requirements

  1. Install OWASP Zap brew install owasp-zap
  2. ✅

    It is available on basically all platforms: https://www.zaproxy.org/download/

  3. Install Frida pip3 install frida-tools

Configure your phone to work with OWASP Zap

  1. Open "Options"
  2. image
  3. In "Options" click "Local Proxies" and add a new proxy with a IP address that is accessible from the phone.
  4. image

    NOTE: Be sure to enable "Behind NAT" if you are using a private IP (you should be)

  5. Export the certificate by going to "Dynamic SSL Certificate" and saving the certificate to a path on your machine.
  6. image
  7. Add the cert to your Android phone. I used adb push and then installed it in settings
  8. Add the proxy to your network config. Go to "Wi-Fi" → click on the ⚙ī¸ next to your network → click on the ✏ī¸ → Proxy change "None" to "Manual and add the IP address and port that you configured in Step 2

Setup and Run Frida

  1. On a rooted Android phone install frida-server with the instructions here: https://frida.re/docs/android/ or use â€Ŗ to install it for you and run it on boot
  2. Get the app id of the app you are interested in by running: frida-ps -Ua
  3. image
  4. Download the unpinning script for Frida here: https://raw.githubusercontent.com/httptoolkit/frida-android-unpinning/main/frida-script.js
  5. Run and instrument the app with frida --no-pause -U -l ./frida-script.js -f <YOUR_APP>
  6. image
  7. You should see connections from the app start to appear in your OWASP ZAP history window
  8. image

Congratulations you now have access to the traffic! Now please go out and make a new Home Assistant integration for your favorite IoT crap.

Šī¸ 2021. Mulliken LLC. All rights reserved