diff --git a/src/mobile-pentesting/android-app-pentesting/README.md b/src/mobile-pentesting/android-app-pentesting/README.md index 84b3620cf..e16a92d1b 100644 --- a/src/mobile-pentesting/android-app-pentesting/README.md +++ b/src/mobile-pentesting/android-app-pentesting/README.md @@ -444,6 +444,62 @@ Applications targeting **API Level 24 and above** require modifications to the N If **Flutter** is being used you need to to follow the instructions in [**this page**](flutter.md). This is becasue, just adding the certificate into the store won't work as Flutter has its own list of valid CAs. +#### Static detection of SSL/TLS pinning + +Before attempting runtime bypasses, quickly map where pinning is enforced in the APK. Static discovery helps you plan hooks/patches and focus on the right code paths. + +Tool: SSLPinDetect +- Open-source static-analysis utility that decompiles the APK to Smali (via apktool) and scans for curated regex patterns of SSL/TLS pinning implementations. +- Reports exact file path, line number, and a code snippet for each match. +- Covers common frameworks and custom code paths: OkHttp CertificatePinner, custom javax.net.ssl.X509TrustManager.checkServerTrusted, SSLContext.init with custom TrustManagers/KeyManagers, and Network Security Config XML pins. + +Install +- Prereqs: Python >= 3.8, Java on PATH, apktool + +```bash +git clone https://github.com/aancw/SSLPinDetect +cd SSLPinDetect +pip install -r requirements.txt +``` + +Usage +```bash +# Basic +python sslpindetect.py -f app.apk -a apktool.jar + +# Verbose (timings + per-match path:line + snippet) +python sslpindetect.py -a apktool_2.11.0.jar -f sample/app-release.apk -v +``` + +Example pattern rules (JSON) +Use or extend signatures to detect proprietary/custom pinning styles. You can load your own JSON and scan at scale. + +```json +{ + "OkHttp Certificate Pinning": [ + "Lcom/squareup/okhttp/CertificatePinner;", + "Lokhttp3/CertificatePinner;", + "setCertificatePinner" + ], + "TrustManager Override": [ + "Ljavax/net/ssl/X509TrustManager;", + "checkServerTrusted" + ] +} +``` + +Notes and tips +- Fast scanning on large apps via multi-threading and memory-mapped I/O; pre-compiled regex reduces overhead/false positives. +- Pattern collection: https://github.com/aancw/smali-sslpin-patterns +- Typical detection targets to triage next: + - OkHttp: CertificatePinner usage, setCertificatePinner, okhttp3/okhttp package references + - Custom TrustManagers: javax.net.ssl.X509TrustManager, checkServerTrusted overrides + - Custom SSL contexts: SSLContext.getInstance + SSLContext.init with custom managers + - Declarative pins in res/xml network security config and manifest references +- Use the matched locations to plan Frida hooks, static patches, or config reviews before dynamic testing. + + + #### Bypassing SSL Pinning When SSL Pinning is implemented, bypassing it becomes necessary to inspect HTTPS traffic. Various methods are available for this purpose: @@ -799,6 +855,9 @@ AndroL4b is an Android security virtual machine based on ubuntu-mate includes th - [https://manifestsecurity.com/android-application-security/](https://manifestsecurity.com/android-application-security/) - [https://github.com/Ralireza/Android-Security-Teryaagh](https://github.com/Ralireza/Android-Security-Teryaagh) - [https://www.youtube.com/watch?v=PMKnPaGWxtg\&feature=youtu.be\&ab_channel=B3nacSec](https://www.youtube.com/watch?v=PMKnPaGWxtg&feature=youtu.be&ab_channel=B3nacSec) +- [SSLPinDetect: Advanced SSL Pinning Detection for Android Security Analysis](https://petruknisme.medium.com/sslpindetect-advanced-ssl-pinning-detection-for-android-security-analysis-1390e9eca097) +- [SSLPinDetect GitHub](https://github.com/aancw/SSLPinDetect) +- [smali-sslpin-patterns](https://github.com/aancw/smali-sslpin-patterns) ## Yet to try