Application attack. Using Xposed to bypass SSLPinning on Android
There are different approaches to analyzing the security of applications, but sooner or later everything comes down to studying the interaction of the program with the API. It is this stage that provides the most information about the operation of the application, about the functions used and the data collected. But what if the application is secured by SSLPinning and the security is implemented at the layer? Let's see what can be done in this case.
Conclusions
This idea has already helped me more than once to find problems and bypass some layers of protection. Can you protect yourself from it? Certainly yes. You can add application or client blocking if Xposed was found, add signatures to the data that is sent. You can distrust any requests from the client, even if they come over a secure connection.
However, having such a powerful tool as Xposed or Frida in your kit, you can easily bypass all possible client-side protection methods.
There are different approaches to analyzing the security of applications, but sooner or later everything comes down to studying the interaction of the program with the API. It is this stage that provides the most information about the operation of the application, about the functions used and the data collected. But what if the application is secured by SSLPinning and the security is implemented at the layer? Let's see what can be done in this case.
Conclusions
This idea has already helped me more than once to find problems and bypass some layers of protection. Can you protect yourself from it? Certainly yes. You can add application or client blocking if Xposed was found, add signatures to the data that is sent. You can distrust any requests from the client, even if they come over a secure connection.
However, having such a powerful tool as Xposed or Frida in your kit, you can easily bypass all possible client-side protection methods.