What is Inspeckage (Android Package Inspector)
Inspeckage is a tool used for Dynamic Security Analysis of Android Mobile Applications. Inspeckage apply hooks to functions of the Android API to perform Dynamic Analysis. We can write our own hooks as well. We will be using the "
SSL uncheck (bypass certificate pinning - JSSE, Apache, and okhttp3)" to bypass the SSL Pinning of a mobile application. Other than the SSL uncheck action, Inspeckage has actions such as Start any activity, Call any provider and Start, stop and restart the application.
How to Install Inspeckage
This is a basic guide of how to install and configure "Inspeckage". Because when you install and configure the Inspeckage, bypassing SSL Pinning is just a matter of ticking and unticking a checkbox.
You must have a rooted device or emulator to use Inspeckage hooks. In order to successfully bypass SSL Pinning with Inspeckage, the application under test must be allowed to run on a rooted device or emulator. I will be using "
Genymotion" personal use for this demonstration.
Following is my "Genymotion" emulator
|
Genymotion emulator specifications |
After installing and downloading an emulator with Genymotion, you can start the emulator. Now you need to install the "
Xposed" module. Make sure you install the correct Xposed version based on your android version. For the above-selected emulator, the
Xposed version given on the link is suitable. Download the Xposed apk and install it on the emulator.
When you have installed the Xposed module, launch the Xposed module and click on the Framework option and click on Install option to install the framework. Then you need to reboot the device or emulator. Now you should have successfully installed and configure the Xposed module.
Then go to Downloads in Xposed and search for Inspeckage. Download and Install the "Inspeckage" as well. As the last step of installing and configuring Inspeckage, go to the "Modules" and click on the checkbox to enable "Inspeckage" with Xposed.
|
Installing Inspeckage with Xposed |
|
Running Inspeckage |
Now you are ready to use "Inspeckage" and bypass SSL Pinning with "Inspeckage" hooks. Go to Android applications and now, you should see the "Inspeckage" icon among the applications. Click on the icon and open "Inspeckage"
You will see three URL saying that the "service is started on" open your browser and go to a URL. A web page will be load with the "Inspeckage" web portal.
Now the environment is ready to bypass SSL Pinning.
Bypass SSL Pinning with Inspeckage
Now it is straight forward. Click on the dropdown of "Inspeckage" saying "choose target" and select the application that you want to bypass SSL Pinning. Click the "Launch App" to start the app. Refresh your web portal to see. you should see the application details with default hooks used by "Inspeckage"
|
Inspeckage Web Portal |
Now navigate to the settings from the Inspeckage web portal and just click and switch on the "SSL uncheck" option. You have successfully bypassed the SSL Pinning of the selected application.
|
Inspeckage Web Portal Settings |
As a bonus, You can use all other hooks available with Inspeckage.
This article intends to use with security testing, ethical hacking, and to increase the awareness of cybersecurity. Any malicious use is not intended.
Reference
Inspeckage - http://ac-pm.github.io/Inspeckage/, https://github.com/ac-pm/Inspeckage
Genymotion - https://www.genymotion.com/
Xposed - https://repo.xposed.info/module/de.robv.android.xposed.installer