![]() You make these changes by writing small scripts in JavaScript, which use Frida's API to define transformations that will be applied to the target process.įrida supports Android, primarily using an on-device server that runs on rooted devices, and exposes an API via ADB so you can use Frida's CLI tools on your computer to transform apps on your phone on the fly. Think Greasemonkey, but for programs instead of web pages.įrida lets you do things like logging every time an app calls a specific method, changing constants within built applications, recording how values within an application change or replacing methods to disable functionality entirely. Enter Fridaįrida is a cross-platform multi-purpose framework for dynamically transforming how applications work, from outside the application. In practice, that means that if you want to know how the Twitter app uses the Twitter API, you're going to need to make it trust your HTTPS interception certificate. banking apps, like N26 or BBVA), all of whom are extremely protective over the details of how their APIs are used, and would prefer that prying eyes can't look too closely. Twitter) and very security-sensitive apps (e.g. That said, it's still used on Android in some corners, particularly by very high-profile apps (e.g. There was a short-lived HTTP standard to support this ( HTTP Public Key Pinning) but it's deprecated and support was removed from browsers, as it makes it far too easy to unexpectedly and irreparably (!) break applications for little security benefit. ![]() Nowadays this is more tightly controlled, and certificate pinning is much rarer, since (as we'll see) it's really security theater, and Google's own docs now specifically recommend against the practice:įor similar reasons, it's not popular on the web. This is generally known as "public key pinning", "certificate pinning", or "SSL pinning".īecause this blocks all except a specific list of certificate authorities, it also blocks the private certificate authorities used by HTTPS debugging proxies, and so we hit our problem.Ĭertificate pinning used to be a much more popular technique, back before Android Nougat when Android's own certificate validation was more lax and users could easily be tricked into installing new trusted certificates on their devices. This ensures they will never trust a new certificate from a certificate authority that they don't explicitly recognize, and so won't accidentally expose HTTPS traffic to anybody other than the real server. These apps include their own custom certificate validation, to specify the exact HTTPS certificate issuers they're prepared to trust, instead of trusting all of the device's trusted certificate authorities. Unfortunately however, the last 1% which don't stick with the default configuration are more complicated. You can change it though on rooted devices and most emulators, so it's quite possible to intercept and inspect HTTPS traffic from these apps by using a debugging proxy for HTTPS interception in those environments. You can't change the system certificate authorities on normal devices, so this list is fairly reliable and secure. ![]() What's certificate pinning?īy default, when an Android app makes an HTTPS connection, it makes sure that it's talking to a trusted server by comparing the issuer of the server's certificate to Android's built-in list of trusted system certificate authorities.ĩ9% of apps stick with that default. Let's talk about how you can fight back, by using Frida to remove SSL pinning, and expose the real traffic that any app is sending. Protections like certificate pinning make this difficult. In the end, this is your Android device, and whether you're a security researcher checking for vulnerabilities, a developer trying to understand how an app uses its API, or a privacy advocate documenting what data an app is sharing, you should be able to see the messages that the apps you use transmit and receive on your own phone. These HTTP interception and mocking techniques are super useful for testing and understanding most apps, but they have issues with the small set of hyper-vigilant apps that add extra protections aiming to lock down their HTTPS traffic and block this kind of inspection. This depends on the target application(s) trusting the debugging proxy's certificate for HTTPS traffic. It's not a purely theoretical problem either - protections like this attempt to directly block HTTPS inspection tools like HTTP Toolkit, which allow you to automatically intercept HTTPS from Android devices for inspection, testing & mocking, like so: This is problematic for security research, privacy analysis and debugging, and for control over your own device in general. Some Android apps go to astounding lengths to ensure that even the owner of a device can never see the content of the app's HTTPS requests.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |