mbrownnycnyc/android_apk_cert_pinning_mitm.txt

## android_apk_cert_pinning_mitm.txt
https://dl.google.com/android/repository/tools_r25.2.3-windows.zip


https://medium.com/@felipecsl/bypassing-certificate-pinning-on-android-for-fun-and-profit-1b0d14beab2b#.pnph846be
http://www.security-assessment.com/files/documents/whitepapers/Bypassing%20SSL%20Pinning%20on%20Android%20via%20Reverse%20Engineering.pdf
https://stackoverflow.com/questions/64364407/app-not-installing-in-android-11-but-works-on-previous-versions

1) download apktool and the build tools (http://androidsdkoffline.blogspot.com/p/android-sdk-build-tools.html) and platform tools (https://developer.android.com/studio/releases/platform-tools.html)
"C:\Users\mbrown\Desktop\Sense APK\apktool" d base.apk


2) locate the certificate pinning:
findstr /s /i /c:"CertificatePinner$Builder"  *.*

shows strings in:
"C:\Users\mbrown\Desktop\Sense APK\base\smali\com\sense\androidclient\e\a.smali"

3) make the edits to the .samli files

look for all instances of "$Builder;->add" and delete lines between the lines that contain
CertificatePinner$Builder;-><init>()
and
CertificatePinner$Builder;->build()


As of 2/6/2017 that lines removed are:

    const-string v1, "api.sense.com"

    new-array v2, v5, [Ljava/lang/String;

    const-string v3, "sha256/HASYeObKKdQXEHLTIPUMUy9WBXQRzykPSYqf/HZX1ZE="

    aput-object v3, v2, v4

    .line 70
    invoke-virtual {v0, v1, v2}, Lokhttp3/CertificatePinner$Builder;->add(Ljava/lang/String;[Ljava/lang/String;)Lokhttp3/CertificatePinner$Builder;

    move-result-object v0

    const-string v1, "api.sense.com"

    new-array v2, v5, [Ljava/lang/String;

    const-string v3, "sha256/nwDSX8WPqNCwewH20Ii61odFmXsG26cfVtvaZtJMdQw="

    aput-object v3, v2, v4

    .line 71
    invoke-virtual {v0, v1, v2}, Lokhttp3/CertificatePinner$Builder;->add(Ljava/lang/String;[Ljava/lang/String;)Lokhttp3/CertificatePinner$Builder;

    move-result-object v0

    const-string v1, "api.sense.com"

    new-array v2, v5, [Ljava/lang/String;

    const-string v3, "sha256/5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU="

    aput-object v3, v2, v4

    .line 72
    invoke-virtual {v0, v1, v2}, Lokhttp3/CertificatePinner$Builder;->add(Ljava/lang/String;[Ljava/lang/String;)Lokhttp3/CertificatePinner$Builder;

    move-result-object v0


4) recompile apk

"C:\Users\mbrown\Desktop\Sense APK\apktool" b .\base -o com.sense.androidclient.unaligned.apk

5) generate a key and keystore:
"%JAVA_HOME%\bin\keytool" -genkey -v -keystore my-release-key.keystore -alias my-release-key -keyalg RSA -validity 10000

# before android 11, you could simply sign, then zipalign, after android 11, you must first zipalign, then sign with `apksigner`
#6) sign the unaligned apk
#"%JAVA_HOME%\bin\jarsigner" -verbose -sigalg MD5withRSA -digestalg SHA1 -keystore my-release-key.keystore -storepass keystore com.sense.androidclient.unaligned.apk my-release-key

6) zipalign:
"C:\Users\mbrown\Desktop\Sense APK\android-7.1.1\zipalign.exe" -v 4 com.sense.androidclient.unaligned.apk com.sense.androidclient.aligned.apk

7) sign:
apksigner sign --ks my-release-key.keystore com.sense.androidclient.aligned.apk

8) uninstall old sense app
.\platform-tools\adb.exe uninstall com.sense.androidclient

9) install modified version of sense app
.\platform-tools\adb.exe install .\com.sense.androidclient.aligned.apk


Download charles proxy
go to help> ssl proxying setting? save charles proxy cert
email the pem to yourself.
Open it on your android, name it anything and allow it to be used for vpn and apps.
the cert will be added to your user cert store.
Start charles proxy on your PC
Go to proxy> SSL proxy settings and add api.sense.com and mb1.home.sense.com leaving the ports blank (you might recognize these FQDNs from the smali file earlier)
on your android phone, long press the wifi icon in your quick access toolbar (or go to wifi settings), find the wifi network your PC is connected to and long press the network name
manager network settings> proxy> manual> proxy host name to the IP of the machine where charles is running, Proxy port is probablu 8888
Once completed, you should be able to see SSL/TLS encrypted traffic within Charles.
	https://dl.google.com/android/repository/tools_r25.2.3-windows.zip


	https://medium.com/@felipecsl/bypassing-certificate-pinning-on-android-for-fun-and-profit-1b0d14beab2b#.pnph846be
	http://www.security-assessment.com/files/documents/whitepapers/Bypassing%20SSL%20Pinning%20on%20Android%20via%20Reverse%20Engineering.pdf
	https://stackoverflow.com/questions/64364407/app-not-installing-in-android-11-but-works-on-previous-versions

	1) download apktool and the build tools (http://androidsdkoffline.blogspot.com/p/android-sdk-build-tools.html) and platform tools (https://developer.android.com/studio/releases/platform-tools.html)
	"C:\Users\mbrown\Desktop\Sense APK\apktool" d base.apk


	2) locate the certificate pinning:
	findstr /s /i /c:"CertificatePinner$Builder" .

	shows strings in:
	"C:\Users\mbrown\Desktop\Sense APK\base\smali\com\sense\androidclient\e\a.smali"

	3) make the edits to the .samli files

	look for all instances of "$Builder;->add" and delete lines between the lines that contain
	CertificatePinner$Builder;-><init>()
	and
	CertificatePinner$Builder;->build()


	As of 2/6/2017 that lines removed are:

	const-string v1, "api.sense.com"

	new-array v2, v5, [Ljava/lang/String;

	const-string v3, "sha256/HASYeObKKdQXEHLTIPUMUy9WBXQRzykPSYqf/HZX1ZE="

	aput-object v3, v2, v4

	.line 70
	invoke-virtual {v0, v1, v2}, Lokhttp3/CertificatePinner$Builder;->add(Ljava/lang/String;[Ljava/lang/String;)Lokhttp3/CertificatePinner$Builder;

	move-result-object v0

	const-string v1, "api.sense.com"

	new-array v2, v5, [Ljava/lang/String;

	const-string v3, "sha256/nwDSX8WPqNCwewH20Ii61odFmXsG26cfVtvaZtJMdQw="

	aput-object v3, v2, v4

	.line 71
	invoke-virtual {v0, v1, v2}, Lokhttp3/CertificatePinner$Builder;->add(Ljava/lang/String;[Ljava/lang/String;)Lokhttp3/CertificatePinner$Builder;

	move-result-object v0

	const-string v1, "api.sense.com"

	new-array v2, v5, [Ljava/lang/String;

	const-string v3, "sha256/5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU="

	aput-object v3, v2, v4

	.line 72
	invoke-virtual {v0, v1, v2}, Lokhttp3/CertificatePinner$Builder;->add(Ljava/lang/String;[Ljava/lang/String;)Lokhttp3/CertificatePinner$Builder;

	move-result-object v0



	4) recompile apk

	"C:\Users\mbrown\Desktop\Sense APK\apktool" b .\base -o com.sense.androidclient.unaligned.apk

	5) generate a key and keystore:
	"%JAVA_HOME%\bin\keytool" -genkey -v -keystore my-release-key.keystore -alias my-release-key -keyalg RSA -validity 10000

	# before android 11, you could simply sign, then zipalign, after android 11, you must first zipalign, then sign with `apksigner`
	#6) sign the unaligned apk
	#"%JAVA_HOME%\bin\jarsigner" -verbose -sigalg MD5withRSA -digestalg SHA1 -keystore my-release-key.keystore -storepass keystore com.sense.androidclient.unaligned.apk my-release-key

	6) zipalign:
	"C:\Users\mbrown\Desktop\Sense APK\android-7.1.1\zipalign.exe" -v 4 com.sense.androidclient.unaligned.apk com.sense.androidclient.aligned.apk

	7) sign:
	apksigner sign --ks my-release-key.keystore com.sense.androidclient.aligned.apk

	8) uninstall old sense app
	.\platform-tools\adb.exe uninstall com.sense.androidclient

	9) install modified version of sense app
	.\platform-tools\adb.exe install .\com.sense.androidclient.aligned.apk



	Download charles proxy
	go to help> ssl proxying setting? save charles proxy cert
	email the pem to yourself.
	Open it on your android, name it anything and allow it to be used for vpn and apps.
	the cert will be added to your user cert store.
	Start charles proxy on your PC
	Go to proxy> SSL proxy settings and add api.sense.com and mb1.home.sense.com leaving the ports blank (you might recognize these FQDNs from the smali file earlier)
	on your android phone, long press the wifi icon in your quick access toolbar (or go to wifi settings), find the wifi network your PC is connected to and long press the network name
	manager network settings> proxy> manual> proxy host name to the IP of the machine where charles is running, Proxy port is probablu 8888
	Once completed, you should be able to see SSL/TLS encrypted traffic within Charles.