While deploying a mobile application, developers ensure that the app uses a valid certificate and connects to the server using HTTPS. In spite of these two measures, the software remains vulnerable to threats like a MitM attack. Thus, software developers take every possible precaution to ensure there are no vulnerabilities. Certificate Pinning happens to be one of the measures that apps dealing with sensitive information must have in place.
Every operating system has its set of certificates in the trust store. Servers using any of these certificates are automatically considered trustworthy by the SSL implementations in the app. SSL pinning adds another layer of security on this.
Simply put, SSL pinning is an optional security mechanism that programmes the application to trust only one set of predefined certificates selected by the developer. While establishing an SSL connection with the server, the software cross checks the server’s certificate with its pinned certificate(s). It proves to be the best technique for protecting the app from remote attacks.
The mechanism is highly foolproof and rejects the server certificate even if the system finds it different compared to the one authenticated during its last session with the same server.
What are the options to bypass SSL pinning?
For any developer, the most critical part of the penetration test is viewing and modifying HTTP requests sent by the mobile application to the server. It helps in testing the functionality of the app. To detect security vulnerabilities, smartphone app development experts often need to perform penetration tests by bypassing SSL verification as well as certificate pinning. The four most popular techniques used by developers are- installing their own CA, installing software to iOS Device, using Objection and Frida, and using disassemblers to modify IPA file.
Developers often choose to install their own CA (certificate authority) for avoiding SSL errors while testing iOS apps. The device needs to be configured for supporting Burp Suite. The CA can be downloaded on the device as an email attachment. After completing the installation procedure, you can visit the ‘certificate trust settings’ screen and enable full access to PortSwigger CA.
At times, in spite of installing your own CA, the device might keep on showing the same SSL errors, or the app may crash multiple times while getting connected. In such a situation, developers can try another simple way to bypass SSL pinning. Installing specific tools like Burp Mobile Assistant and SSLKillSwitch can do the trick. Unfortunately, these and most of the other similar software work only with jailbroken iOS devices.
When it comes to the framework that’s capable of interfering in the application’s certificate validation logic, the first name that occurs in mind is Frida. It can be used for jailbroken devices, and while working on the locked ones, developers can use Frida Gadget framework. However, the software programmer working on the same needs to have an Apple Developer account and a code signing certificate.
Perhaps, the most complicated option amongst all is using universal disassemblers like IDA, and Hopper for modifying IPA file. The most crucial point is that the signed application breaks after adjusting its IPA and thus needs to be resigned before installing it on the device. Remember, all the four techniques should be used only by experienced developers as using the same makes the device insecure and vulnerable to attacks.
If you wish to engage highly-experienced developers for iOS app development or Android App Development, you should consider discussing your requirements with Smart Sight Innovations. The firm has helped several reputed small and large companies from various sectors with excellent user-friendly apps.
Guest article written by: Hardi Vora is a Content Strategist, Blogger & Digital Marketing Executive associated with Ecosmob, a Mobile App Development company. A writer by day and a reader by night, she is having an experience in writing an SEO-friendly, creative and informative contents for distinct industries.