Full Report
This blogpost will cover the research I presented at BSides JoBurg. You can watch the talk on YouTube, and code can be found on our GitHub page. This journey started after having looked at some certificate-pinned apps. The majority of apps that appear to implement cert pinning, don’t actually have cert pinning but rather just use a custom trust manager or are not proxy aware (this also applies to things like Flutter). Thus the first step is to ensure application traffic is forced through our proxy. I utilised an OpenVPN server when working with a physical device and the Android emulator proxy settings when working with a virtual device.
Analysis Summary
# Tool/Technique: Memunpin (Certificate Pinning Memory Patching)
## Overview
This technique involves bypassing mobile application certificate pinning by dynamically patching the application's memory. Instead of traditional function hooking (which can be difficult in stripped native binaries or non-standard engines like Flutter/Dart), this method identifies and replaces certificate hashes (SHA256/SHA1) or Public Key data stored in memory with the researcher's own proxy CA hash.
## Technical Details
- **Type**: Technique / Tool
- **Platform**: Android (applicable to physical devices and emulators)
- **Capabilities**: Binary memory searching, dynamic memory patching, SSL/TLS interception, certificate hash extraction.
- **First Seen**: Research presented at BSides JoBurg 2024.
## MITRE ATT&CK Mapping
- **[TA0006 - Credential Access]**
- **[T1557 - Adversary-in-the-Middle]**
- **[TA0005 - Defense Evasion]**
- **[T1562.001 - Impair Defenses: Disable or Modify Tools]** (Bypassing security controls like pinning)
- **[TA0007 - Discovery]**
- **[T1012 - Query Registry]** (In the context of searching memory strings/values)
## Functionality
### Core Capabilities
- **Traffic Redirection**: Forcing application traffic through a proxy (e.g., Burp Suite) using OpenVPN for physical devices or emulator proxy settings.
- **Hash Identification**: Utilizing OpenSSL CLI tools to extract the legitimate certificate chain and calculate the exact SHA256/SHA1/MD5 hashes used by the target application.
- **Dynamic Memory Search**: Scanning the application's memory space for specific hexadecimal representations of certificate hashes or public keys.
- **Automated Patching**: Replacing the detected legitimate hashes in memory with the attacker's/researcher's proxy CA hash in real-time.
### Advanced Features
- **Library Agnostic**: Targets underlying libraries like BoringSSL (used by Dart/Flutter) and Conscrypt, even when function symbols are missing.
- **Signature Swapping**: Capability to handle both short certificate digests (hashes) and full root CA public keys (DER/PEM formats).
## Indicators of Compromise
- **File Names**: `memunpin` (GitHub repository tool name).
- **Network Indicators**:
- Connection attempts to `ecc384.badssl[.]com` (Research test domain).
- Use of local VPN tunnels (OpenVPN) to redirect mobile traffic.
- **Behavioral Indicators**:
- Presence of Frida server on the mobile device.
- Unexpected memory modification of the `libssl.so`, `libboringssl.so`, or Flutter engine binaries.
- Rapid sequential memory reads/writes originating from a debugger or instrumentation framework.
## Associated Threat Actors
- Primarily used by **Security Researchers** and **Penetration Testers**.
- Potentially utilized by sophisticated actors engaged in **Reverse Engineering** or **Espionage** to intercept encrypted traffic of secure messaging or financial apps.
## Detection Methods
- **Behavioral Detection**: Monitoring for the use of dynamic instrumentation tools like Frida or Objection on the device.
- **Integrity Checking**: Implementing runtime self-checksums or memory integrity checks to detect if certificate hashes in the data segment have been altered.
- **Environment Attestation**: Detecting rooted devices or the presence of VPNs/Proxies that are not system-standard.
## Mitigation Strategies
- **Certificate Transparency**: Implement CT log checking to ensure certificates are valid and logged publicly.
- **Obfuscation**: Obfuscating hardcoded hashes or public keys to make them harder to identify via memory scanning.
- **Standardized Pinning**: Utilizing the Android Network Security Configuration (`network_security_config.xml`) which, while bypassable, provides a standardized layer of security.
- **Anti-Instrumentation**: Implementing checks to detect Frida, Xposed, or other injection frameworks at application startup.
## Related Tools/Techniques
- **Frida**: Used for memory manipulation and function hooking.
- **Objection**: A runtime mobile exploration toolkit.
- **HTTP Toolkit**: Used for testing SSL pinning implementations.
- **BoringSSL/OpenSSL**: The underlying cryptographic libraries targeted by this technique.