SSL Pinning Bypass with Frida and effective Mitigation techniques
Introduction
In an era of unprecedented digital transformation, securing sensitive data and communications has never been more critical. One of the significant challenges organizations face is ensuring the integrity and confidentiality of data exchanged between mobile applications and servers. To safeguard this communication, SSL Pinning has become a standard practice. However, as cybersecurity threats evolve, so do the methods employed by cybercriminals to breach security measures. This blog post delves into the crucial role of Frida, a dynamic instrumentation toolkit, in bypassing SSL Pinning. Furthermore, we will explore into secure coding practices aimed at preventing SSL Pinning bypass, empowering business organizations with the knowledge required to enhance their mobile application security.
SSL (Secure Sockets Layer)
SSL (Secure Sockets Layer) is a critical encryption-based internet security protocol. Originally conceived by Netscape in 1995, its primary purpose was to ensure privacy, authentication, and data integrity in online communications. SSL serves as the precursor to today’s widely used TLS (Transport Layer Security) encryption protocol. Before we dwell into SSL, lets have a quick understanding of HTTP / HTTPS and SSL/TLS
HTTP VS HTTPS
Figure 1 illustrates the distinctions between HTTP and HTTPS, highlighting their respective characteristics.
Figure 1: HTTP VS HTTPS
How SSL/TLS work
Figure 2: Working of SSL/TLS
SSL/TLS ensures secure internet communication through the following steps:
• Encryption: SSL encrypts transmitted data, rendering it unreadable and nearly impossible to decrypt for potential interceptors.
• Authentication: SSL initiates a handshake between communicating devices to verify their legitimacy.
• Data Integrity: SSL digitally signs data to maintain its integrity and confirm that it hasn’t been tampered with.
SSL Pinning bypass
Figure 3: SSL Pinning Bypass Architecture
SSL Pinning can be circumvented if not implemented or configured correctly. One common approach for bypassing SSL Pinning is as follows:
1.Objection Framework
Objection is a runtime mobile exploration tool powered by FRIDA, designed for assessing the security of mobile applications without requiring a jailbroken or rooted device. It offers predefined scripts and commands to exploit vulnerabilities.
Steps to Reproduce:
Installing and using the Objection tool to bypass vulnerabilities is straightforward, thanks to its simple installation process.
NOTE: Install python and set the path for any obstacles
After installing Python and its required packages, we’ll utilize the ‘pip’ tool to install Objection on the system.
Pip install objection
Figure 4: Installing Objection using pip
Note : Please note that the requirements are already satisfied, indicating that the software is already installed on the system.
After the successful installation of Objection, it’s essential to check for proper functionality. To do this, execute the “objection” command to confirm that it runs smoothly.
Figure 5: Objection Installed and Running properly
With the successful installation of all prerequisites, the next step is to bypass SSL pinning as follows:
•Execute the command: “objection -g PACKAGE_NAME explore” (where ‘g’ represents the gadget, and you should replace PACKAGE_NAME with the application’s package name).
•As previously mentioned, predefined scripts are available; simply invoke them using the command “android SSLPINNING disable.”
•This action will trigger a pop-up, opening the desired application.
•Frida server must be running in android device to run Objection on system.
•Proceed by clicking on “send request” to effectively bypass SSL pinning.
Figure 6: Successfully Bypassed SSL Pinning
2.Frida
Steps to Reproduce:
As shown in Figure 7 below, a script is utilized to bypass SSL pinning.
To accomplish this, perform the following steps:
“Frida -U -l Frida-multiple-unpinning.py -f infosecadventures.allsafe”
-u is used for attached gadget
-l Script name
-f APK_PACKAGE_NAME
Figure 7 Frida tool execution
Figure 8: Unpinning SSL using Frida
Figure 9: Successfully SSL Pinning Bypass
Figure 10: SSL Unpinning Bypass
Impact
•Attackers can intercept and read communications between the application and the server.
•If the application is not properly secured, sensitive information may be exposed, leading to compromise or unauthorized access.
Effective Measures for Mitigation
a.Strong SSL/TLS Configuration
SSL/TLS protocols are responsible for securing the communication between your app and external servers. To mitigate potential vulnerabilities, carefully configure your app to use the latest, most secure versions of these protocols. Additionally, enforce strong encryption algorithms, key lengths, and certificate validation procedures. By doing so, you’ll establish a secure foundation for data transmission and reduce the risk of attackers successfully tampering with the SSL Pinning mechanism.
b.Avoid Hardcoding or Storing Sensitive Data
To prevent SSL Pinning bypass attacks, avoid hardcoding or storing sensitive data, such as API keys, passwords, or encryption keys, directly in your app’s code. Instead, utilize secure storage mechanisms like Android Keystore or iOS Keychain to store sensitive data securely. This practice reduces the chances of attackers gaining access to critical information even if they manage to bypass SSL Pinning.
c.Regular Security Testing
Continuous security testing is essential for identifying and addressing vulnerabilities that could be exploited to bypass SSL Pinning. Implement routine security assessments and penetration testing of your mobile application. Regularly scan for weaknesses in the SSL Pinning implementation and assess the overall security posture of your app. By conducting frequent security tests, you can stay ahead of emerging threats, apply timely patches, and ensure that your SSL Pinning mechanisms remain effective.
d.Implement the Principle of Least Privilege
To minimize the risk of SSL Pinning bypass attacks, adhere to the principle of least privilege. This means that each component of your application should only have the minimum level of access necessary to perform its functions. Limit permissions, user privileges, and API access to the bare essentials required for the app’s operation.
e.Encrypt Sensitive Data
In addition to protecting sensitive data from unauthorized access, it’s essential to encrypt this data both at rest and in transit. Use strong encryption algorithms to encode data before storing it on the device or transmitting it over the network. This added layer of security ensures that even if SSL Pinning is bypassed, intercepted data remains unreadable to malicious actors.
f.Code Obfuscation
Code obfuscation is a practice that involves intentionally making your application’s source code more challenging to understand or reverse-engineer. Through code obfuscation, you can discourage attackers from uncovering weaknesses in your SSL Pinning implementation. Obfuscation tools modify variable and function names, alter control flow, and add extraneous code to confuse reverse engineers. While it doesn’t provide absolute security, it significantly increases the effort required for attackers to analyze your app’s code and devise methods for bypassing SSL Pinning.
Conclusion
With daily increase in the usage of mobile and mobile applications, the security threats related to the same are also ever-evolving. Organizations must remain vigilant and proactive in protecting their mobile applications and the sensitive data they handle.
Understanding the role of Frida in SSL Pinning bypass is essential for both cybersecurity professionals and developers. To enhance security and maintain customer trust, businesses can recognize potential risks, utilize Frida for legitimate security research, and implement secure coding practices.
As we look to the future, staying informed about emerging threats and continuously enhancing security measures will be crucial in safeguarding the digital assets and reputation of organizations worldwide.
Image References:
•https://www.guru99.com/difference-http-vs-https.html
•https://comodosslstore.com/blog/what-is-ssl-tls-client-authentication-how-does-it-work.html
•https://www.cyclon3.com/bypass-facebook-ssl-certificate-pinning-for-ios
References:
•https://redfoxsec.com/blog/ssl-pinning-bypass-android-frida/
•https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0012/
•https://niiconsulting.com/checkmate/2019/04/ssl-pinning-introduction-bypass-for-android/
•https://blog.moove-it.com/prevent-bypassing-of-ssl-certificate-pinning-on-ios/