Last active
March 18, 2023 03:32
-
-
Save mbrownnycnyc/319c6527d8208c4f6bc4c87e78e0754a to your computer and use it in GitHub Desktop.
Android APK cert pinning removal and MiTM - focusing on Sense Home Energy Monitor APK
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
https://dl.google.com/android/repository/tools_r25.2.3-windows.zip | |
https://medium.com/@felipecsl/bypassing-certificate-pinning-on-android-for-fun-and-profit-1b0d14beab2b#.pnph846be | |
http://www.security-assessment.com/files/documents/whitepapers/Bypassing%20SSL%20Pinning%20on%20Android%20via%20Reverse%20Engineering.pdf | |
https://stackoverflow.com/questions/64364407/app-not-installing-in-android-11-but-works-on-previous-versions | |
1) download apktool and the build tools (http://androidsdkoffline.blogspot.com/p/android-sdk-build-tools.html) and platform tools (https://developer.android.com/studio/releases/platform-tools.html) | |
"C:\Users\mbrown\Desktop\Sense APK\apktool" d base.apk | |
2) locate the certificate pinning: | |
findstr /s /i /c:"CertificatePinner$Builder" *.* | |
shows strings in: | |
"C:\Users\mbrown\Desktop\Sense APK\base\smali\com\sense\androidclient\e\a.smali" | |
3) make the edits to the .samli files | |
look for all instances of "$Builder;->add" and delete lines between the lines that contain | |
CertificatePinner$Builder;-><init>() | |
and | |
CertificatePinner$Builder;->build() | |
As of 2/6/2017 that lines removed are: | |
const-string v1, "api.sense.com" | |
new-array v2, v5, [Ljava/lang/String; | |
const-string v3, "sha256/HASYeObKKdQXEHLTIPUMUy9WBXQRzykPSYqf/HZX1ZE=" | |
aput-object v3, v2, v4 | |
.line 70 | |
invoke-virtual {v0, v1, v2}, Lokhttp3/CertificatePinner$Builder;->add(Ljava/lang/String;[Ljava/lang/String;)Lokhttp3/CertificatePinner$Builder; | |
move-result-object v0 | |
const-string v1, "api.sense.com" | |
new-array v2, v5, [Ljava/lang/String; | |
const-string v3, "sha256/nwDSX8WPqNCwewH20Ii61odFmXsG26cfVtvaZtJMdQw=" | |
aput-object v3, v2, v4 | |
.line 71 | |
invoke-virtual {v0, v1, v2}, Lokhttp3/CertificatePinner$Builder;->add(Ljava/lang/String;[Ljava/lang/String;)Lokhttp3/CertificatePinner$Builder; | |
move-result-object v0 | |
const-string v1, "api.sense.com" | |
new-array v2, v5, [Ljava/lang/String; | |
const-string v3, "sha256/5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU=" | |
aput-object v3, v2, v4 | |
.line 72 | |
invoke-virtual {v0, v1, v2}, Lokhttp3/CertificatePinner$Builder;->add(Ljava/lang/String;[Ljava/lang/String;)Lokhttp3/CertificatePinner$Builder; | |
move-result-object v0 | |
4) recompile apk | |
"C:\Users\mbrown\Desktop\Sense APK\apktool" b .\base -o com.sense.androidclient.unaligned.apk | |
5) generate a key and keystore: | |
"%JAVA_HOME%\bin\keytool" -genkey -v -keystore my-release-key.keystore -alias my-release-key -keyalg RSA -validity 10000 | |
# before android 11, you could simply sign, then zipalign, after android 11, you must first zipalign, then sign with `apksigner` | |
#6) sign the unaligned apk | |
#"%JAVA_HOME%\bin\jarsigner" -verbose -sigalg MD5withRSA -digestalg SHA1 -keystore my-release-key.keystore -storepass keystore com.sense.androidclient.unaligned.apk my-release-key | |
6) zipalign: | |
"C:\Users\mbrown\Desktop\Sense APK\android-7.1.1\zipalign.exe" -v 4 com.sense.androidclient.unaligned.apk com.sense.androidclient.aligned.apk | |
7) sign: | |
apksigner sign --ks my-release-key.keystore com.sense.androidclient.aligned.apk | |
8) uninstall old sense app | |
.\platform-tools\adb.exe uninstall com.sense.androidclient | |
9) install modified version of sense app | |
.\platform-tools\adb.exe install .\com.sense.androidclient.aligned.apk | |
Download charles proxy | |
go to help> ssl proxying setting? save charles proxy cert | |
email the pem to yourself. | |
Open it on your android, name it anything and allow it to be used for vpn and apps. | |
the cert will be added to your user cert store. | |
Start charles proxy on your PC | |
Go to proxy> SSL proxy settings and add api.sense.com and mb1.home.sense.com leaving the ports blank (you might recognize these FQDNs from the smali file earlier) | |
on your android phone, long press the wifi icon in your quick access toolbar (or go to wifi settings), find the wifi network your PC is connected to and long press the network name | |
manager network settings> proxy> manual> proxy host name to the IP of the machine where charles is running, Proxy port is probablu 8888 | |
Once completed, you should be able to see SSL/TLS encrypted traffic within Charles. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment