![]() ![]() Nowadays this is more tightly controlled, and certificate pinning is much rarer, since (as we'll see) it's really security theater, and Google's own docs now specifically recommend against the practice:įor similar reasons, it's not popular on the web. This is generally known as "public key pinning", "certificate pinning", or "SSL pinning".īecause this blocks all except a specific list of certificate authorities, it also blocks the private certificate authorities used by HTTPS debugging proxies, and so we hit our problem.Ĭertificate pinning used to be a much more popular technique, back before Android Nougat when Android's own certificate validation was more lax and users could easily be tricked into installing new trusted certificates on their devices. This ensures they will never trust a new certificate from a certificate authority that they don't explicitly recognize, and so won't accidentally expose HTTPS traffic to anybody other than the real server. ![]() These apps include their own custom certificate validation, to specify the exact HTTPS certificate issuers they're prepared to trust, instead of trusting all of the device's trusted certificate authorities. Unfortunately however, the last 1% which don't stick with the default configuration are more complicated. You can change it though on rooted devices and most emulators, so it's quite possible to intercept and inspect HTTPS traffic from these apps by using a debugging proxy for HTTPS interception in those environments. ![]() You can't change the system certificate authorities on normal devices, so this list is fairly reliable and secure. What's certificate pinning?īy default, when an Android app makes an HTTPS connection, it makes sure that it's talking to a trusted server by comparing the issuer of the server's certificate to Android's built-in list of trusted system certificate authorities.ĩ9% of apps stick with that default. Let's talk about how you can fight back, by using Frida to remove SSL pinning, and expose the real traffic that any app is sending. Protections like certificate pinning make this difficult. In the end, this is your Android device, and whether you're a security researcher checking for vulnerabilities, a developer trying to understand how an app uses its API, or a privacy advocate documenting what data an app is sharing, you should be able to see the messages that the apps you use transmit and receive on your own phone. ![]() These HTTP interception and mocking techniques are super useful for testing and understanding most apps, but they have issues with the small set of hyper-vigilant apps that add extra protections aiming to lock down their HTTPS traffic and block this kind of inspection. This depends on the target application(s) trusting the debugging proxy's certificate for HTTPS traffic. It's not a purely theoretical problem either - protections like this attempt to directly block HTTPS inspection tools like HTTP Toolkit, which allow you to automatically intercept HTTPS from Android devices for inspection, testing & mocking, like so: This is problematic for security research, privacy analysis and debugging, and for control over your own device in general. Some Android apps go to astounding lengths to ensure that even the owner of a device can never see the content of the app's HTTPS requests. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |