Hi Friends,
Today we are going to see how to identify whether a mobile application is using certificate pinning or not for communication using https with its server on internet. This is applicable to all platforms (Android, IOS, etc..).
So lets start...
Requirements:
1. A mobile.
2. A Desktop or laptop with a proxy tool. I am using Fiddler as proxy tool.
3. A internet wifi connection.
Step 1: Install the application to be tested for Certificate Pinning on the Mobile.
Step 2: Start the Fiddler proxy on the Desktop/Laptop and configure it to listen on a particular port. I this demo, I am using port 8080.
Step 3: Configure the Desktop's/Laptop's ip address and port 8080 as proxy in wifi settings of the mobile. To see how to configure proxy in android, click here.
Step 4: Set Fiddler in non-decrypting mode, i.e. Fiddler wont decrypt any SSL traffic but will act as a passive proxy.
Step 5: Test that the fiddler proxy on Desktop/Laptop is capturing the traffic from the mobile by browsing any site on the mobile's browser.
Step 6: Set Fiddler in decrypting mode, i.e. set Fiddler to act as active proxy and decrypt SSL traffic of https sites also.
Step 7: Export the fiddler certificate.
Step 8: Install it on the mobile. This ensures that the fiddler certificate is trusted by the application as it is in the trusted store of the Mobile. To install CA certificate in Android: Settings > Security > Install from Storage > Locate the certificate and install it.
Step 9: Browse and https site inside the mobile browser and ensure that no certificate error is produced. If certificate error is produced, the mobile browser is not trusting our installed CA certificate. In this case, restart the mobile. If no error occurs, move on to next step.
Step 10: Set Fiddler in non-decrypting mode.
Step 11: Open the application under test. The application would be able to communicate with its server on internet. Browse through its features. Only connect requests would be seen in Fiddler and no data due to its acting as passive proxy. If the application does not work after setting the proxy in Wifi settings, then the application may be detecting proxy and does not work on proxy detection. I'll explain proxy detection bypass in the next blog.
Step 12: This step determines whether the application is using SSL pinning or not. Set Fiddler in decrypting mode again. Open the application under test. If the application opens up properly and traffic is captured in Fiddler, no SSL pinning is implemented. If SSL pinning is implemented in the application, the application will throw error such as 'Cannot connect to the server','Check the Network' and wont open or go further.
Hope the above troubleshooting helps in Mobile Security Testing. To explain SSL pinning bypass would require another tutorial itself, I'll cover that in next blog.
Happy Testing :)
Today we are going to see how to identify whether a mobile application is using certificate pinning or not for communication using https with its server on internet. This is applicable to all platforms (Android, IOS, etc..).
So lets start...
Requirements:
1. A mobile.
2. A Desktop or laptop with a proxy tool. I am using Fiddler as proxy tool.
3. A internet wifi connection.
Step 1: Install the application to be tested for Certificate Pinning on the Mobile.
Step 2: Start the Fiddler proxy on the Desktop/Laptop and configure it to listen on a particular port. I this demo, I am using port 8080.
Step 3: Configure the Desktop's/Laptop's ip address and port 8080 as proxy in wifi settings of the mobile. To see how to configure proxy in android, click here.
Step 4: Set Fiddler in non-decrypting mode, i.e. Fiddler wont decrypt any SSL traffic but will act as a passive proxy.
Step 5: Test that the fiddler proxy on Desktop/Laptop is capturing the traffic from the mobile by browsing any site on the mobile's browser.
Step 6: Set Fiddler in decrypting mode, i.e. set Fiddler to act as active proxy and decrypt SSL traffic of https sites also.
Step 7: Export the fiddler certificate.
Step 8: Install it on the mobile. This ensures that the fiddler certificate is trusted by the application as it is in the trusted store of the Mobile. To install CA certificate in Android: Settings > Security > Install from Storage > Locate the certificate and install it.
Step 9: Browse and https site inside the mobile browser and ensure that no certificate error is produced. If certificate error is produced, the mobile browser is not trusting our installed CA certificate. In this case, restart the mobile. If no error occurs, move on to next step.
Step 10: Set Fiddler in non-decrypting mode.
Step 11: Open the application under test. The application would be able to communicate with its server on internet. Browse through its features. Only connect requests would be seen in Fiddler and no data due to its acting as passive proxy. If the application does not work after setting the proxy in Wifi settings, then the application may be detecting proxy and does not work on proxy detection. I'll explain proxy detection bypass in the next blog.
Step 12: This step determines whether the application is using SSL pinning or not. Set Fiddler in decrypting mode again. Open the application under test. If the application opens up properly and traffic is captured in Fiddler, no SSL pinning is implemented. If SSL pinning is implemented in the application, the application will throw error such as 'Cannot connect to the server','Check the Network' and wont open or go further.
Hope the above troubleshooting helps in Mobile Security Testing. To explain SSL pinning bypass would require another tutorial itself, I'll cover that in next blog.
Happy Testing :)
