If it is not possible to intercept traffic even after successfully installing own CA based on the android version, it is possible that the application is performing some kind of SSL pinning. to bypass this type of validation we need to hook the application’s code and interfere with the validation process. In order to use these hooks, the application must be allowed to run on a rooted/jailbroken device. If running on a rooted device is allowed, please read my previous article on SSL Pinning Bypass with "Inspeckage" and setting up "Inspeckage" for using other available hooks with the Xposed module and "Inspeckage".
If the application is not allowed to run on a rooted device, the most common method is with the "Frida" framework. For this, you need to repackage the "APK" with the "Frida" library. So if the application does not allow repackaging or use integrity checks at runtime this option is no longer valid.
This is written based on an experience I had with bypassing SSL Pinning for mobile applications that do not allow to run on a rooted device and also did not allow repackaging and running on a device. The solution was found with "VirtualXposed" and "Inspeckage". However, this is not a widely tested and approved solution (UNCONVENTIONAL). But this might help you with mobile application Penetration Testing.
VirtualXposed
VirtualXposed is the same as a virtual machine. It provides a virtual space to run APKs as plugins and in this space, some Xposed modules and hooks can be applied. You can download the VirtualXposed from the following link.
VirtualXposed - https://virtualxposed.com/
Copy VirtualXposed apk and Install |
- Download VirtualXposed
- Copy downloaded apk to your unrooted device.
- Go to device Settings > Security > Unknow source and tick Unknown source
- Go to the location that you copied the apk
- Tap and go through the installation guide
Now you will see the VirtualXposed icon with the other installed android applications. Click and open the "VirtualXposed" and you will see a lock screen like interface. This is the virtual space that is installed on your device OS. Swipe like you unlock a device with no password or pattern lock and enter to your virtual android space.
VirtualXposed installed on a not rooted device |
Bypass SSL Pinning with VirtualXposed.
Now that you have Xposed running on your unrooted device, you can use hooks. My favorite application for hooks is "Inspeckage"
- Click on the Xposed inside the virtual space
- You will be presented with an interface exactly similar to Xposed
- Navigate to Download and search for "Inspeckage"
- Click Download and Install
- After successfully installing the "Inspeckage" navigate to Modules and check the box next to "Inspackage" to enable it
- Restart the device before using
The following screen captures show steps to be followed in order to install and configure "Inspeckage". I will not explain the steps in detail here.
Steps to install and configure Inspeckage |
Now all you have to do is install the application that you want to bypass SSL pinning and intercept traffic to the same virtual space. You have to install the application from an apk in order to load the application to the virtual space.
- Extract/Get the "apk" that you want to install in the virtual space.
- Copy it to the desired location of your device
- Try to install the apk and it will ask where to install (Add to VirtualXposed or Package Installer)
- Choose "Add to VirtualXposed" and continue the installation.
- You should be able to successfully install the application into virtual space (VirtualXposed)
Installing an application to the VirtualXposed |
Now it is straight forward. Just like how you normally use "Inspeckage", run Inspeckage and select the application that you want to apply hooks, and load the Inspeckage web portal.
- Open Inspeckage in VirtualXposed
- Click on the "Choose Target" dropdown
- Select the application you want to apply hooks
- Click "Launch App"
- Open your web browser from the PC and navigate to the given IP in "Inspeckage"
- Go to "settings" from the web portal
- Switch on the "SSL Uncheck" option
Now you should be successfully able to bypass SSL Pinning and apply other hooks available with "Inspeckage".
Again, I would like to highlight that this is not a well tested and established approach (
UNCONVENTIONAL). But I was able to successfully do some tricky things with "VirtualXposed"
This article intends to use with security testing, ethical hacking, and to increase the awareness of cybersecurity. Any malicious use is not intended.
References
VirtualXposed - https://virtualxposed.com/
Inspeckage - http://ac-pm.github.io/Inspeckage/