Full Report
In late Jan, someone opened an Github issue in the objection repository about Android 7’s Network Security Configuration. The issue author included a blogpost from the NCC group about this very topic which included some very helpful bits of information (which you should totally read). Naturally, I wanted to enhance objection to be able to get past this new security feature, so the testing began. I installed a Burp CA as one would normally do for assessments as well as a small test application with certificate pinning disabled and quickly realised that literally no network traffic was passing through. Inspecting the output of adb logat, one would see messages such as the following for our failed requests:
Analysis Summary
# Tool/Technique: Android Network Security Configuration Bypass (via Objection enhancements)
## Overview
This pertains to techniques developed to bypass the security restrictions introduced by Android 7's Network Security Configuration (NSC), specifically when testing applications configured to enforce certificate pinning or other strict trust policies that prevent traffic interception (e.g., via a proxy like Burp Suite). The enhancements were integrated into the runtime analysis tool, **Objection**.
## Technical Details
- Type: Tool / Technique
- Platform: Android (specifically targeting Android 7 and newer features related to NSC)
- Capabilities: Modifying application binaries (repackaging) or hooking runtime execution to bypass NSC restrictions, allowing tools like Burp Suite to intercept HTTPS traffic.
- First Seen: The issue discussed originated in late January (implied 2018), with the implementation being discussed in March 2018.
## MITRE ATT&CK Mapping
- **TA0005 - Defense Evasion**
- T1562 - Impair Defenses
- T1562.001 - Impair Defenses: Disable or Modify Antivirus or Endpoint Detection and Response Tools (Analogous: Modifying application trust stores/configuration to impair security checks)
## Functionality
### Core Capabilities
The bypass methods implemented within Objection focused on two primary vectors:
1. **Repackaging Enhancements:** Automatically modifying the application's `AndroidManifest.xml` to include the `networkSecurityConfig` attribute pointing to a configuration file that allows user CAs (disabling strict NSC behavior). The tool then repackages the APK.
2. **Runtime Enhancements (Frida Hooking):** Bypassing NSC checks dynamically at runtime by hooking critical Java methods.
### Advanced Features
The runtime enhancement specifically targeted the certificate validation process occurring in `com.android.org.conscrypt.TrustManagerImpl.verifyChain`. By replacing the implementation of `verifyChain` to simply return the original untrusted chain without validation checks, the `javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found` was avoided, allowing the connection to proceed and traffic to be intercepted.
## Indicators of Compromise
In this context, the indicators relate to the successful execution of the bypass technique rather than traditional malware artifacts:
- File Hashes: N/A (Relates to functionality modification of an existing APK)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Successful connection attempts to proxy servers (e.g., Burp Suite) when the application was previously failing due to certificate validation errors.
- Behavioral Indicators:
* Evidence of `adb logcat` messages showing `javax.net.ssl.SSLHandshakeException` stopping, followed by successful SSL/TLS negotiations with non-system CAs.
* The use of the Objection command `android sslpinning disable`.
## Associated Threat Actors
The primary tool facilitator mentioned is **Objection**, used mostly by security researchers and penetration testers (e.g., SensePost researchers). It is not directly associated with a specific malicious threat actor, but rather a red team/testing utility.
## Detection Methods
Detection focuses on identifying the presence or use of dynamic instrumentation tools or modified application binaries:
- Signature-based detection: Detecting known scripts or binaries associated with Objection or Frida.
- Behavioral detection: Monitoring for hooking of core system security or SSL/TLS validation classes like `com.android.org.conscrypt.TrustManagerImpl` during application execution.
- YARA rules: Not applicable based on the provided context (focus is on runtime/binary modification).
## Mitigation Strategies
The mitigation strategies are aimed at hardening the application against runtime manipulation and resisting NSC bypasses:
- **Prevention measures:** Implementing *Integrity Checks* (e.g., checksum verification) on critical application files or configuration paths.
- **Hardening recommendations:** Combining NSC configuration with robust **Certificate Pinning Implementation** that resists common hooking techniques, potentially by verifying the certificate chain roots earlier or using obfuscation/anti-hooking techniques that protect the `TrustManagerImpl`.
## Related Tools/Techniques
- **Objection:** The primary tool enhanced to implement this bypass.
- **Frida:** The underlying dynamic instrumentation toolkit used to apply runtime hooks.
- **Burp Suite:** The proxy tool whose CA certificate installation is the goal of the bypass.
- **Android Network Security Configuration (NSC):** The security feature being bypassed.