Skip to content

Instantly share code, notes, and snippets.

@haxrob

haxrob/covidsafe-cert-pin.md

Last active April 29, 2020 10:31
Show Gist options
  • Save haxrob/8251f846a068fdf8d8731dbe37d3a8fa to your computer and use it in GitHub Desktop.
Save haxrob/8251f846a068fdf8d8731dbe37d3a8fa to your computer and use it in GitHub Desktop.
Download ZIP
Modify certificate pinning for Australia Government Covidsafe Android Application
Raw
covidsafe-cert-pin.md
  1. Ensure your certificate for the MITM application is in PEM format. For example, Burp Suite generates the certificate in DER, so in this case, to convert from DER to PEM:
openssl x509 -inform der -in cacert.der -out cacert.pem

Note this certificate needs to also be installed on the Android device. Android expects DER format with the file extension .crt. If in doubt, consult google.com.

  1. Extract all three APKs. To avoid issues, -r is used.
apktool d -f -r au.gov.health.covidsafe.apk
apktool d -f -r config.xxhdpi.apk
apktool d -f -r config.en.apk
  1. Replace one of the existing certs with the one used in the MITM application. For example, this one will do:
au.gov.health.covidsafe/res/raw/amazon_root_ca_4.pem

Remove all the text and replace the complete certificate with your own one that's also been installed on the Android device and used by your MITM application:

-----BEGIN CERTIFICATE-----
MIIDqDCCApCgAwIBAgIFAPDDVxcwDQYJKoZIhvcNAQELBQAwgYoxFDAS
.....
-----END CERTIFICATE-----
  1. Rebundle back into APKs (The config.xxhdpi.apk and config.en.apk we need to resign, hence why extracting them in the first place. There is probably another way to strip of the signature, but this will do.
apktool b config.en/ -o  config.en.new.apk
apktool b config.xxhdpi/ -o  config.xxhdpi.new.apk
apktool b au.gov.health.covidsafe/ -o au.gov.health.covidsafe.new.apk

  1. Download JDK to use the keytool program: https://www.oracle.com/java/technologies/javase-jdk14-downloads.html

  2. Generate certificate for signing (Enter a password, don't forget it as it's needed in the next step)

keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000
  1. Sign all three APKs:
~/jdk-14.0.1/bin/jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore au.gov.health.covidsafe.new.apk alias_name
~/jdk-14.0.1/bin/jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore config.xxhdpi.new.apk alias_name
~/jdk-14.0.1/bin/jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore config.en.new.apk alias_name
  1. Install the APKs to the Android device. All three are needed, so we use install-multiple:
adb install-multiple config.en.new.apk au.gov.health.covidsafe.apk config.xxhdpi.new.apk

Now any HTTPS traffic sent from the app via in-line proxy, or by other means, e.g. sslstrip, will be visible in plain-text. The intention here is for dynamic analysis of your own device to understand how the software works. Please see the relevant legislation to understand what is and is not permitted: https://www.legislation.gov.au/Details/F2020L00480

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment