 Hi guys, this is Rajesh and I'm from CEX Complete Entertainment Exchange VY.com where I work as a senior application security engineer and our company involves in buying and selling second hand electronics, mobile laptops. My colleague Mr. Ravi is also joining me for giving assisting you in hands-on and other tools. So let's start. So let's start with agenda. So agenda is like SSL pinning things, bypassing the SSL pinning, route detection, static and reverse engineering that will be covered by Ravi. So yeah, starting with SSL pinning, the SSL pinning is, it is kind of technique used by developer to avoid the MITM attack and if any penetration tester wants to intercept, request and response of mobile application, it avoids, you can't intercept the application means if any penetration tester. So why this comes in, let's suppose if any attacker or any penetration tester wants to test the application or wants to intercept the request and response, that is the main, the first, the step to invade the application or to bypassing the logics, attacking the application with S-conjection vulnerabilities and all, the first step is to intercepting the application, request and response. So that's why SSL pinning comes in, so that it restricts the tester or user to intercept the application in proxy tools. So whenever we want to test the application, what we observe, so this error comes in. So this is the error the client failed to negotiate, so it means the user can't intercept the application, that's why because the SSL pinning certificate is bind with the application. So this is the full overview of what SSL pinning is, the first of all what SSL pinning is, it is kind of certificate binding in Android or iOS application where user can't see the request and response. If he can't see the request means he can't tamper the parameters and all. So to explain this, first of all the developer, what developer does, they bind the certificate, the server certificate in application and whenever SSL handshake initiated, it asks for the certificate that is in the application. So first, while application sends the request, SSL request and server certificate comes in the client side and the certificate which is bind in the application, while application that is matched or not, so it verifies then if it is not matched then it gives the error that is SSL handshake error. So that this is the main logic behind implementing the SSL pinning certificate. So yeah, so the main thing is SSL pinning certificate, so there are lots of ways to bypass this certificate pinning, because if you can't bypass, it means you can't test the application, that is the main challenge. So there are three main ways to bypass the SSL pinning, first is reverse engineering, so that is old method, just reverse engineering the Android or iOS code and then find the certificate pinning is labeled or not, so it is old method because let's suppose the source code of Android or iOS application is off the schedule, so you can't reverse engineering there. You can't find the where SSL certificate pinning is implemented, right, so if we are not able to find the where certificate is pinned and where the code is written for SSL pinning, so the reverse engineering techniques fails here. Second is exposed framework, if the Android people know this, how the exposed framework we use the plug-ins and all, right, so there are plug-ins for bypassing the SSL pinning in exposed framework, you just install the exposed framework in Android device that that should be routed and then you can bypass easily, you just hook the application that you want to bypass that SSL pinning and then you can easily bypass, because it is just clicks on some buttoner you can bypass, this is also old method, right. So next we go which is we are going to demonstrate that this is objection and Frida, these are the latest tools that are used for bypassing the SSL pinning and other binary restriction in the mobile application Android and iOS, right, so this is we are going to practice and demonstrate. So what we need to install objection and Frida, so first of all I will tell you what objection and Frida, objection is a framework which is used which is used for for hooking the application and bypassing the binary restriction like SSL pinning, route detection, it can bypass the route detection, it can hook the application and then lots of analysis can be done for iOS and Android, so this is why we use objection and Frida is the company name that which is recently or launched the objection, so we have also a Frida server file which is used, which is parallelly used for objection to bypass the SSL pinning and other hooking method, right. So requirements for this is the JN Emotion one and virtual box we use because JN Emotion and virtual box is used for installing the device and draw a device, right and that is a proxy tool, security people use this for all old kind of hacking and applying the attacks and the ADB tool used for communication between the device and your system and Frida server file we use, we first load the Frida server file into that Android device and then we can inject the objection tools and then is objection framework that we tell you later how to install it, so these are the tools that and commands which is used for installing and then bypassing the all binary restriction, right. So this is the mainly what the this is the command we use in objection to bypass the SSL pinning, so let us start with the demo, so I have this Android emulator, so this is I think Google Nexus 5, right, so this we have and I have yes, so these are the, it is kind of CTF stuff, so what we need here, this is the chapter where SSL pinning is enabled, so this is for demonstration, so whenever we click here, so this is an application, so when we click here, so let us close, so we have first of all what we need the proxy tool that is the worksuit, so here we can set the proxy of your Jenny motion device, so whatever you do, the traffic comes from your Jenny motion, it will be intercepted in your proxy device that is a bubsuit professional we use, so first set the proxy, so let us start with this, so this is the proxy setting, here is the proxy setting we use, so this is the IP, the virtual box IP we use for intercepting the old traffic from android device and you can set the port number where you wind that IP, so this is ISET, now for same in device you set the proxy, here you can see on that device ISET the proxy, so intercepting all the application request and responses, let us open the application, so here is nothing because we have not initiated any request right now, let us open this, so I just clicked on that activity that application, let us see, so here you can see there is no request, so there is chances that application is enabled with SSL certificate, SSL pinning certificate is enabled in android application, so this is where we identify, here that we have android we can check this here, so this is the error comes in, the client failed to negotiate, it means it is the main identification factor that application is built with the certificate, application has SSL pinning certificate, so this is we are going to bypass how there are lots of techniques to bypass, so we are going some latest tools to bypass the SSL pinning, so here there is no request and response, so what we need to bypass I just, so this is the requirements to bypass the SSL pinning, any motion but only for testing and then Frida server and an objection came up, so let us start, so first you need ADV that is used for connecting the system to that virtual device or your real mobile device, so I am just using this, so the first step is to load the Frida server file into your device, so the Frida server file you can download or I have shared in nDrive as well, so Frida server file you can download from this GitHub as per the android device, so here lots of Frida server files are there, so you have to choose what operating system you have in android, so according to that you can download and then I am using this file, so to, so identifying what operating system is you can identify, you can download some tools from play store and identify what operating is in 64 bit or 32 bit, so by that you can download that, so I have already downloaded here, this is the file that I have downloaded, this is Frida, this is the file that I downloaded Frida server, so this is we are going to load into your android device, so there is a command called push, ADV push and then you can load the file that you are going to load, then the location that we use in android device is data hash local and then temp folder because the permissions to execute that server file on that device should be that permission, if you are executing that server file in android device, the location should be temporary, so we are using this location data, so this is the location that we are using in android device, so here your file will be loaded once I give the command here, so this is a location, so this is location temp data local, then temp file, here our file will be loaded and we execute the file in device and then our next process will be done here, so this is a command that is used for loading the Frida server file into device, so the file is loaded if we check, here is the file, so the file is loaded into android device, next step is you cannot execute this file without the permission, so we have permission, we have to give the permission to this file, so their next command is this ADV shell ch mode this, so we use this command to give the permission to this file, that is so the permission is given, now I am getting into the device, so the command for use you want to go into the device that is a ADV shell, you also know automation people who automate the things in mobile, so I am into the device, here you can do location, so the first step is which application you want to hook for objection tool, so this is a command, this is the application I want to hook into objection, so first we need to identify the package name, so there are lots of command to identify what is the package name, so I will use the location of that application where it is installed in device then find the package name, so the command is CD data and then it is in data folder and then so here I can find the package name, so this is the package name of this learner app, this is the package name which we are using for to bypass it, you can copy it even, so next step is to run the Frida server file, so there is the simple command here, you can use Linux command here in android device, it is all in all Linux stuff, so firstly we have to go into that folder where our Frida file is loaded, so what was the location, so this was the location for data, local and then CD data, okay cool, this is easy, this is okay, I think there is problem with this, now it is easy one, what is command, now this is easy one, okay cool thanks, so there we are, so next step is to execute that Frida server file, first we connect with the device, here the file is the Frida server file, so this is the command that we use to execute the Frida server file, here you can see the process is created 2538, then next step is the package name that we copied here, package name and then there is main command explore, so this is our device, this is a command that we use to bypass the SSL pinning, firstly we hook the application and then we will try, so this is application, this is the package name that we want to bypass, let us just turn it, so you can see the objection command unsuccessfully, the next step is to bypass the SSL pinning, we use one hooking tool that is android, so this is a command, we are in objection tool now, so to hook that application, we have already hooked the application, now we want to bypass it, so what we want, we want to bypass the SSL pinning, so you can see the SSL pinning plugin is enabled in the objection tool, now let us on the application again, so let us click on this, so here it messes, this is overriding the trust manager, it means it tried to bypass the SSL pinning certificate, let us see the proxy, so here you can see this 200 okay, means request triggered, we are able to bypass now, SSL pinning is bypassed with the objection tool, so this is a one way bypass, so here it is the CTF kind of thing, here we put the session token that is triggered with the request, so every time whatever you would trigger it, here this token comes in, this token you have to put here to complete the challenge, so we will give you the tools, so you can bypass and then you can put this code, this is kind of CTF code and you will be able to bypass the SSL pinning, so I will put that code here, so this challenge is completed, the SSL pinning challenge is completed by just putting, every time you bypass the SSL pinning the new code is generated and you can put here and you can see that you are able to bypass the SSL pinning, so you the people who installed the all the tools you can try to bypass the SSL pinning, so anyone try to install the, please install the required softwares, so that I have given in pin drive, so that we can have a practical session, so after that we will demonstrate the static analysis of mobile apps, so we have time I think, yeah we have, you can practice it, so that you can get hands-on experience, how to bypass, those who don't have laptops they can share, which one, yeah sure, yes which one, right, burps are burps should itself generate one code, so that code we need to insert in the app, so that that will bypass in proxy to, yeah, so this is CTF application, once you are able to bypass the SSL pinning means requested is triggered and then there is a request there is the header and there is a code, so you can copy that code and put into the application and it will give that you are able to bypass, then we click on that lesson folder, yeah, this is here, initially we were not able to bypass, we are not able to intercept the application here, right, when the SSL pinning plugin was not enabled, right, now we were able to bypass the SSL pinning, now it is, it triggers the request here and I click here, so this is a request is generated, earlier it was not because the, we have not applied the objection tool, yes, yes, yes, it is not like that, it is CTF, it is CTF means it is challenge that you are able to bypass and you put that, it is kind of game, it is not everywhere that every application generate code and then you put in let us suppose in banking application there is SSL pinning is enabled and you want to intercept the data, right, so what you will do you do the objection, hook the application and then to bypass the SSL pinning, then you are able to bypass and you can apply the parameter attack, iskinjection, cross scripting after that, so here what we are doing, we are just demonstrating that once your request is intercepted what you can do, yeah, any other question, yes, this is demo app, yes, yes, yes, right, right, yes, which one, yeah, so, yes, and you can see here it is overriding the trust manager even, because it is, yeah, no, you do not need to put in it is just, it is game, that you are able to bypass and you successfully bypass you, the code generator you copy, yes, you can put anything that it will say it is that incorrect one, your answer is incorrect, because you have not valid code, so this is just a sample, it is not, if any banking application, yes, yes, it gives, yeah, exactly, this error, exactly, yes, yes, yes, yes, you can perform the attacks, yes, yes, that is why the practice session is you install and all, yeah, any other question, yes, yes, Frida, Fridler, yeah, it is the same thing you can do. So, we are doing the same thing, yes, in that scenario what I am doing, I am installing the certificate generated by the Burbsuit or the Fridler on the device, yes, and then I am able to intercept the request which is mobile going to generate, okay, so we are doing the similar thing. No, it is not that, that is the certificate you are installing in device that is for application is over HTTPS, then there is a problem to intercept the traffic, that is another case, but in this case the certificate, it is an Android device, it is an Android application and then in case of HTTPS there is no SSL pinning, only application works over the SSL layer, but here the SSL certificate is primarily bind with the application, in testing case what we do earlier when SSL pinning was not come, we used to intercept by installing this certificate in our device and then Burbsuit device and then we can, so that is another case, that is not, now it is the SSL certificate pinning, yes, any other question, yes. So, what are the things we can do after this? See, initially I just told that what penetration register phase that they were not able to bypass the SSL pinning because they cannot intercept the request and response and perform the attacks was stopped and other attacks because they cannot intercept the request, that is a challenge, right. So, here what we are doing, we are hooking the application and then bypassing as well, access the pinning and then we can intercept and perform all the attacks in request and response that we penetration tested does, yeah. Thank you. Yes, Android and iOS you can, exactly you can do, there are conditions, if the SSL pinning is properly implemented, that two-way authentication is implemented because if there is flow, there is solutions, right. If the SSL pinning is properly implemented, that two-way authentication is implemented then it is difficult to bypass with any tool, right. But here there are weakness, the trust manager is not verifying the certificate, that is why we are able to bypass. Yes, because here what we are doing, the applications, certificate is not verifying at the application end because the server sends the certificate and it is matched with the certificate bind in the application. What we are doing is, we are just making the code void, right and the checks that is enabled in the code, it is not performed actually. So, that is why. So, the SSL pinning check could should be the properly implemented that it should be run when first request is triggered. Here just we are disabling and we are easily able to bypass. So, if you want then I can repeat the whole process if anyone has any doubt. Yes, that I, because that here what we are doing, we are just, there is a code in Android that the certificate should be validated before that application request is triggered, right. So, that check should be properly implemented, right. Here the trust manager is disabled here, that is what we are doing here, overriding the trust manager, right. So, if the developer develops that code properly, validate that certificate, mandatory here, I think there is flow that we are just raising that code and then applying our code and it is able to bypass. Do not get any questions. Yes, yes means the check that that is implemented in code, the check that that is a code is when first request is triggered, the certificate should be validated, right. So, here what we are doing is just disabling the whole that check, the tool what does is it disable that check and then the regular application sends the request. So, here it is doing here. Yes, the code the code that is written for SSL thinning, it uses the trust manager of device, right. So, whenever that code is executed, code is executed then it it does not verify it removes that check and then application works properly in normal format, it it disable that check. Yes, that is code in there are two ways to implement the SSL thinning, one is the put the key file, the public key file in the application, second is put the certificate in application. Anyone installed complete setup? Yes, for bypassing technique the same for Android and iOS, for iOS you need just need to just put iOS and SSL thinning disable, same thing. Yes, emulator is already rooted. So, provider 1 pdf file which is having all the list of commands, we have shared one link. SU, you did SU command, put SU command here, if you use copy, here you are, ADV shell, maybe go to ADV shell, So, that is why we recommend use only Jenny motion here, so we have given the all these slides and video recording as well mostly and list of comments just go to the convenience for browser we cannot implement SSL pinning because already the SSL certificate HTTPS application is over as we call it is SSL pinning certificate binding, so in browser you cannot bind both browser is your have a URL, but in case of android you bind that certificate put that certificate in and APK yes it is only for android application and iOS yes what problem you are getting ok try what what what you can use for jre first, oh that that is why you can just like these the space can be it is ok to you understand the what what what what what what which emulator you use it is routed and that is why I recommend the router device that is why Jenny motion is routed one you can try we shared the tools I will give you tools name so these are tools you are able to download ok yeah that I can share so right now all tools can't be shared with the virtual box and the device takes larger size but the tools the ADV tools that I can share work suite you can already installed read a server and objection no no you don't need to open the virtual box no yes already installed you have installed the virtual box right now already installed I think there is a problem with the virtual box space issue I think no virtual to read one this one this is extra this is installation package download the latest one install it again can you download from virtual site don't use the don't use the Jenny motion you sold the Jenny motion even for your device I think Jenny motion download from the website even might be there is some why we shared the tools might be there this one was downloaded from the like their official Jenny motion should you try it out install from your website this is Jenny motion website and then virtual latest virtual box might be there and shared with you what to walk download the latest Jenny motion from their website because might be some which one this is here you want to show it this is it's not working yeah is everyone done I think they set up problem so in meanwhile you can continue with the next you guys can go through the video that we have shared so if you if you are facing problem with the setting of the softwares I mean well we can we can go through the mob itself which is used for static security analysis for mobile apps like Android iOS and windows apps as well have you guys ever done the basic security check for your mobile apps yeah by epic analyzer or apk tool have you guys ever used mob itself mob itself will be used for static analysis and as well as dynamic analysis so so static analysis like doing a code review of your app like a dot apk or dot ip file so see in Android app there are different activities like there are four types of activities like activities services receivers and providers so here activities are like screens so this is like home screen login screen my account these are different types of activities which represents basic UI you have the app and the services are like which runs in the background and receivers are like which receive the broadcast messages and providers are like content providers which is used to manage the accessing the data of the application it is like to share your activities with other apps so you might have seen the activities like product details activities in the shopping sites like if you take an example of amazon app so you can share the product with your friends right so that's a kind of sharing the activity sharing the screen with other apps so where mob itself comes into the picture is if you want to check the basic if you want to do the basic security check so you just need to install the mob itself so you don't need to install actually you just need to download the framework from github and if you have a git client you can just run the command git loan and give the url of github repo mob itself github repo and after that you need to run a command go to the mob itself folder and then you need to run a command pip install hyphen or requirements.txt this will install all the required plugins to run the mob itself once done you need to run a command python manage.py and run server this will run the server like you can access the mob itself site from your localhost itself so once done you will get a url to localhost colon 8080 and mob itself and you will see a screen like this all you need to do is upload the apk.app file so once it is done it will display the screen like this so here you can download the report as well so let's get into the demo on my machine it is already there mob itself is already there so you guys can get it from the pd which i have given so url you can download it from github just run the command manage.py and run server mob itself so if you have a python installed on your machine python 3.7 i guess which is 2.7 also will work the latest version of python will be better i have given in pdf the command is given here one second this is the command that you execute this python manage.py run server once done drag and drop the application the app which you want to perform the basic check that you need to drag and drop into the site so if you have your own app you can test it i have given the sample app in the pendrive just analyze the entire app so it will give you the overview of your application so there are 13 activities and 0 services, 0 receivers and 1 provider so let's get into it also analyze the manifest file which is under apk so it will go through all the permissions which are required for the application so if the developer has given any other permissions which are not required so if your app doesn't need any permission to access the storage of the device whether it is enabled or not so you can report it to your developer it is not required to enable so here the permission is read phone state which is dangerous it allows the application to access the phone features of the device phone number and serial number which is not required for the app and meanwhile you can go through other permissions as well and when it comes to api these are the files there are one activity which is lesson handler activity there is one flaw like allow backup equal to true so if the allow backup equals to true then you can take the backup of the entire application on the device so that will also include the user data like if the user has saved any data like address banking details which is not in encryption format the hacker can easily get the entire data so this needs to be false so if it is true then you need to report it to your developer and there is a content provider so if the content provider exported equal to true then you need to check whether it is required or not so if the there are different activities like my account section so if it is not required then the other apps doesn't require the my account session of the app so if they can get the session of the user they can hack the details that's it you can download the report from the download report so it will generate the pdf file that's it you can do a practical session on it are you guys doing it? any question? you can use git command install download it what is it? move us up python 3 we need python 3 because it is compatible with python 3 but still you try python 2 as well if it is installed then you can install python 3 as well python 3 as well python 3 guys download python 3 python 3 there is no space it is working now go to that move us up folder you are in move us up folder 3 no space install python r and the requirements tab tab type install it these are the requirements that is needed for executing the move us up file even you can use apk tool to reverse engineer the apk files you can see the entire code if the code is not obfuscated python 3 and then this command use the python 3 manage and so on the setup is the main problem if you are ignoring then it will not work python 3 but you need to write the python 3 python 3 yes copy it right might be a report will not be generated there might be some problem write python 3 try to run that manage file run server python 3 back back python 3 and manage you can run server latest one latest release you can download even you can get it from docker you can run the docker command as well debugging takes time it is giving 8000 you can give your own port at 9000 report will be you can try there is a command like docker pull open security so it will just give you whole setup you don't need to run all the commands this is the command but your system need to have enough space for this go to browser port is write the port number now you can use that app to scan