Android Pen-testing - Bypass SSL pinning

Рет қаралды 51,398

5 жыл бұрын

Developers can pin the public key into the App.
That way, the app will compare the key and if it doesn’t match the connection is dropped.
In this video we look at the way to bypass the SSL pinning process using Dynamic Binary Instrumentation.
Note: This is a just an example to explain SSL pinning for educational purposes without any ill intentions. Please use the demos showcased ethically.
Tools:
frida- www.codemetrix.io/hacking-and...

Пікірлер: 50

@DeeptimanPattnaik1991 5 жыл бұрын

Very nicely done, very well explained , Thank you :)

@tulsirao2764 4 жыл бұрын

awesome video..thanks a lot for the detailed video and android pt series.

@kalisettyhashika5327 2 жыл бұрын

Thank you for this video! This video has given me confidence to test android applications. Hope you continue making such amazing videos! Cheers!

@prarthanarao8406 4 жыл бұрын

Thanks , this really helped with the issues I was Facing !

@BitsPlease 4 жыл бұрын

Thanks Prarthana. Glad it helped.

@habeebkhaa5057 3 жыл бұрын

Thanks a lot, this really helped a lot.

@psychorockz123 4 жыл бұрын

@BitsPlease Great tutorial. You explained each step very well. However the automated script injection may not work for most applications. Could you make a video explaining how to manually tamper with the smali code and bypass pinning?

@TekTok 4 жыл бұрын

i face this issue "Failed to spawn: the 'argv' option is not supported when spawning Android apps" can you help me pls

@viralshah2855 5 жыл бұрын

Hi Can you do this with xposed framework with SSL unpinning or any other simillar module?. Please show detail process how to install and use xposed framework and modules

@sangameshr.t.2476 2 жыл бұрын

Is there any way to stop this bypass ? I have tried adding public key and adding certificate to the code but it still being bypassed.

@ngeeannboiii8554 3 жыл бұрын

16:04 . Command line at the right is cut off. what is the full command to run the .js file??

@righamjain9457 3 жыл бұрын

Can you please tell me the version of Twitter app you are using as the version i tried to install on Android v7.1 is giving me error

@wikali6128 5 жыл бұрын

Look like you missed an important step, once you pushed the cert generated by Burp suite to android emulator but you haven't installed it .....so placed it in /data/local/temp

@BitsPlease 5 жыл бұрын

Thanks for pointing it out Wika Li. Yes, you gotta go to your device and install the certificate. i believe my earlier certificate is still doing the job.

@wazzygray 4 жыл бұрын

Your voice is so sweet

@yasyasmarangoz3577 3 жыл бұрын

@Thunder-dp7du 3 жыл бұрын

Great video what If the communication has been encrypt any other way to bypass it.

@mrprince4791 4 жыл бұрын

10000000000______ Love for you.

@wazzygray 5 жыл бұрын

Which os you're using

@manojkansal02 4 жыл бұрын

#BitsPlease @BitsPlease Could you please help me as i am not able to make a connection with genymotion/virtualbox and burpsuite. What type of connection setting in need to setup in virtual box and which ip i need to config to set up over wifi not using LAN.

@smartcontract647 2 жыл бұрын

I'm getting an error: Failed to spawn: the 'argv' option is not supported when spawning Android apps, Can anyone help me?

@Exrienz 4 жыл бұрын

where is the link for frida ssl repinning script?

@Hacking_vibe 2 жыл бұрын

I need that

@mersalmakers1577 3 жыл бұрын

Sir how can I get hook.js file?

@bibekdhakal5353 4 жыл бұрын

bro I am trying at this moment. i am sure its gonna work

@bibekdhakal5353 4 жыл бұрын

having a problem at ADB wtf. ADB version is fucking me. lol

@yasyasmarangoz3577 3 жыл бұрын

@@bibekdhakal5353 So? Did it work?

@gcpa7539 4 жыл бұрын

what android emulator you are using on the video?

@BitsPlease 4 жыл бұрын

I’m using Genymotion.

@gcpa7539 4 жыл бұрын

@@BitsPlease thanks

@arcanghelfernandez3856 4 жыл бұрын

This could have been a very good step by step installing Frida, however did not provide detailed information especially for beginners

@FortniteBRLeaks 4 жыл бұрын

Yeah this tutorial is horrible. I'm moving onto someone else who can explain it better

@markopurunto9858 5 жыл бұрын

which Twitter version

@dimassahidabdullah1183 Жыл бұрын

why did my script doesn't work for bypass ssl pinning? I got the script from Frida's Website

@m7zr 4 ай бұрын

Same… did you fix it?

@nopenope5949 4 ай бұрын

Nope@@m7zr

@kentslaves 5 жыл бұрын

What android version did you used ?

@BitsPlease 5 жыл бұрын

I'm using Android 8.0 (API level 26).

@joyoe 4 жыл бұрын

@@BitsPlease then sir, do plz tell me, during executing "rida -U -f com.twitter.android -l frida-android-repinning.js --no-paus", I ran into error "[o] Error: java.io.FileNotFoundException: /data/local/tmp/cert-der.crt (Permission denied) ", I believe it is because I'm using Magisk for rooting, it doesn't change the adbd into root, so I won't be about to access to "cert-der.crt" in system directory, plz correct me if I'm wrong, and besides, if yes, how did you fix this? I'm using Android 9.0, thanks for answering