Disable or bypass SSL Pinning/Certificate Pinning on Android 6.0.1
Previously I have been able to bypass SSL Pinning by using the program
Xposed frameworkfor nearly every app.
However it has started to fail on more and more apps recently. The more I read it seems like I have to disassemble every app and patch them one by one.
Is there some application that I have missed that can disable SSL Pinning by hooking onto system commands?
Programs that I have tried:
If there is no such program, what is the best way to go?
What I have identified so far:
Try to disassemble the APK and search for keywords such as "X509TrustManager", "cert", "pinning" etc and modify it accordingly. Like this article: http://blog.dewhurstsecurity.com/2015/11/10/mobile-security-certificate-pining.html
However it seems that at least one of the apps that I have trouble proxying (Facebook Messenger) is using SSL Pinning in the native layer as well as the Java layer. This is probably the case in many other applications as well since they have worked before with JustTrustMe but has now stopped working. https://serializethoughts.com/2016/08/18/bypassing-ssl-pinning-in-android-applications/
You'll also notice that the author of SSLUnpinning_Xposed is moving his project pieces to -- https://github.com/ac-pm/Inspeckage
Did you go through these procedures to get JustTrustMe to bypass the cert pinning -- http://www.welivesecurity.com/2016/09/08/avoid-certificate-pinning-latest-versions-android/ -- ?
If you do end up having to rewrite some code, try to keep it really simple. I found this technique which doesn't mess with the existing cert-pinning code and instead just adds the HTTP traffic to the logging system -- https://blog.securityevaluators.com/how-to-view-tls-traffic-in-androids-logs-6a42ca7a6e55
For a series on repackaging Android apps, be sure to check out:
For Android 7 and higher, check out -- https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/november/bypassing-androids-network-security-configuration/