When mobile applications communicate with an API or web service, this should generally happen via TLS/SSL (e.g., HTTPS).
In order to verify the identity of the server and to prevent man-in-the-middle attacks, TLS relies on certificates which
prove the identity of the web server. Browsers and mobile operating systems come preconfigured with a list of trusted Certificate Authorities (CAs).
Since any of the CAs may issue a certificate for any hostname/server, security-conscious applications
should “pin” the expected server certificate in the application, i.e., not accept any certificate but the one issued
by the known-good CA which the application developer uses.
From a penetration testing perspective, this may cause practical problems since
it is difficult to intercept the communication of an application that makes use
of this technique. Without pinning, interception typically involves adding the TLS
certificate of an intercepting proxy (such as
Burp) to the certificate store of the target operating
system. However, when the app uses certificate pinning, this store is often ignored. On iOS, when the app uses standard
iOS APIs, the iOS SSL Kill Switch, developed by Matasano’s sister
company iSEC Partners, can be used to bypass pinning and force the application to
accept any certificate presented by the server or proxy. The Kill Switch uses the
Cydia Substrate which hooks the iOS functions used for certificate validation and
modifies them so that they accept any certificate. It becomes more complicated when the app uses the
OpenSSL library instead of the native iOS frameworks since they are not affected by the Kill
There is more than one way for bypassing OpenSSL-based certificate pinning and in our
newly posted whitepaper we discuss two of the major
approaches: binary patching and in-memory hooking (using cycript). In this blog post we
focus on the former method as it is better suited for teaching a low-level understanding of how the bypass operates.
Binary patching is also the more versatile technique since it is applicable to platforms
where tools like cycript and Cydia Substrate are not readily available.