In the usual web application security testing, testers take advantage of proxy tools such as Burp Suite or OWASP Zap to tamper with the parameter of HTTP requests to the server and observe the traffic. There are also built-in scanning tools and add-on/plugins that can be integrated for more specific tests. For a web application that uses certificates, the resolution is to add Burp’s certificate to the trusted certificates so the traffic can still pass through the proxy.
However, when doing security tests in mobile apps, this can be a problem. A lot of mobile apps that use certificates implement SSL pinning, thus, it will not connect to the proxy as it doesn’t recognize it as a legitimate connection. Installing Burp’s certificate in the browser will not do any good as the mobile app does not pass through the mobile browser. There are different approaches to resolving this issue. One is to root the OS and install Burp’s certificate in the System Certificate list. By default, Burp’s certificate can only be installed in the User Certificate list if the OS is not rooted. The other approach is to disassemble the .apk file (assuming Android) using apktool and Frida, then disabling the SSL pinning there or referring to Burp’s Certificate as valid.
Depending on the setup, approach 1 or 2 may work. But the steps and tools may be complex as you need to disassemble and assemble the code back again. There are times when you need to do trial and error just to find out which approach or tweaks will work.
MobSF Dynamic Analysis
One of the tools I found is the Mobile Security Framework. It is a security tool that contains both static and dynamic analysis for Android, iOS, and Windows. What I like about the tool is that it automates the disassembling part and analysis of the Manifest and other parts of the code. It also has a risk scoring based on OWASP Mobile Top 10 and CVSS.
One of the more important features is the dynamic analysis. It can execute the uploaded APK to an emulator and execute runtime tests. Note that for dynamic analysis to work, MobSF must be installed in the host and not in a Guest/VM.
Bypassing SSL Pinning
Bypassing SSL Pinning is easy once you have set up the Dynamic Analysis feature of MobSF. Frida is already built-in and you can see the logs. In the example, we uploaded Wikipedia’s APK for static and dynamic analysis. When you start to. There are default settings such as API Monitoring, SSL Pinning Bypass, Root Detection Bypass, and Debugger Bypass.
Go to Frida Live Logs to see the status of the functions implemented. Browse through the mobile app in Genymotion and see the updates in the Frida Live Logs. It will also indicate if SSL Pinning has been bypassed.
Sending the HTTP/S Requests to Burp Suite
After bypassing SSL Pinning, we can now redirect the traffic to a proxy such as Burp Suite. You can go to Generate Report and go to HTTP(S) traffic to verify whether requests and responses are recorded. Once verified, you can go to Start HTTPTools to send the repeat the request to a proxy.
From there you can send the captured traffic to the Fuzzer by setting the IP and port used by the proxy (usually localhost:8080). Just make sure that you have the same set up in the proxy and toggle the Intercept button to “off” and you’re good to go.
Conclusion
These key features of MobSF will help security testers in analyzing the traffic of mobile applications. The tedious task of manually disassembling and assembling the app is resolved and more time can now be allocated to testing the logic and flow of the application.
