Wednesday, March 4, 2020

SSL Pinning Bypass with "Inspeckage - Android Package Inspector"

What is Inspeckage (Android Package Inspector)


Inspeckage is a tool used for Dynamic Security Analysis of Android Mobile Applications. Inspeckage apply hooks to functions of the Android API to perform Dynamic Analysis. We can write our own hooks as well. We will be using the "SSL uncheck (bypass certificate pinning - JSSE, Apache, and okhttp3)" to bypass the SSL Pinning of a mobile application. Other than the SSL uncheck action, Inspeckage has actions such as Start any activity, Call any provider and Start, stop and restart the application. 

How to Install Inspeckage

This is a basic guide of how to install and configure "Inspeckage". Because when you install and configure the Inspeckage, bypassing SSL Pinning is just a matter of ticking and unticking a checkbox. You must have a rooted device or emulator to use Inspeckage hooks. In order to successfully bypass  SSL Pinning with Inspeckage, the application under test must be allowed to run on a rooted device or emulator. I will be using "Genymotion" personal use for this demonstration.

Following is my "Genymotion" emulator
Genymotion emulator specifications

After installing and downloading an emulator with Genymotion, you can start the emulator. Now you need to install the "Xposed" module. Make sure you install the correct Xposed version based on your android version. For the above-selected emulator, the Xposed version given on the link is suitable. Download the Xposed apk and install it on the emulator.


When you have installed the Xposed module, launch the Xposed module and click on the Framework option and click on Install option to install the framework. Then you need to reboot the device or emulator. Now you should have successfully installed and configure the Xposed module.

Then go to Downloads in Xposed and search for Inspeckage. Download and Install the "Inspeckage" as well. As the last step of installing and configuring Inspeckage, go to the "Modules" and click on the checkbox to enable "Inspeckage" with Xposed.
Installing Inspeckage with Xposed

Running Inspeckage
Now you are ready to use "Inspeckage" and bypass SSL Pinning with "Inspeckage" hooks. Go to Android applications and now, you should see the "Inspeckage" icon among the applications. Click on the icon and open "Inspeckage"


You will see three URL saying that the "service is started on" open your browser and go to a URL. A web page will be load with the "Inspeckage" web portal.

Now the environment is ready to bypass SSL Pinning.

Bypass SSL Pinning with Inspeckage

Now it is straight forward. Click on the dropdown of "Inspeckage" saying "choose target" and select the application that you want to bypass SSL Pinning. Click the "Launch App" to start the app. Refresh your web portal to see. you should see the application details with default hooks used by "Inspeckage"
Inspeckage Web Portal

Now navigate to the settings from the Inspeckage web portal and just click and switch on the "SSL uncheck" option. You have successfully bypassed the SSL Pinning of the selected application.
Inspeckage Web Portal Settings

As a bonus, You can use all other hooks available with Inspeckage.
This article intends to use with security testing, ethical hacking, and to increase the awareness of cybersecurity. Any malicious use is not intended. 

Reference 
Inspeckage - http://ac-pm.github.io/Inspeckage/https://github.com/ac-pm/Inspeckage 
Genymotion - https://www.genymotion.com/
Xposed - https://repo.xposed.info/module/de.robv.android.xposed.installer 

2 comments: