Lu Yuanjiang joined Qunar in January 2019. Now he is in charge of app analysis and device fingerprint reverse climbing, and has rich experience in app unshell and Java/NativeC layer encryption and decrypting algorithm analysis.

1. The background

When analyzing APP protocol, we often encounter the situation that HTTPS protocol cannot be captured normally due to certificate verification. This paper mainly introduces the timing and principle of certificate verification and detection, as well as how to bypass detection and bypass principle. In terms of security, how to deal with it, how to detect it, and how to fight against the solution.

1.1 What are the ways to implement HTTPS on Android

A) Apache’s HttpClient class

B) HttpsURLConnection class

C) Third-party library OkHttp will be used as an example (or other third-party library Xutils, HttpClientAndroidLib)

1.2 What Is the Certificate Verification Mode?

  1. The TrustManager authentication is generated based on the built-in APP KeyStore
  2. Custom SSLSocketFactory (org. Apache. HTTP. Conn. SSL. SSLSocketFactory) (httpClient) strategy to achieve the TrustManager validation
  3. Custom SSLSocketFactory (javax.net.ssl.SSLSocketFactory) implementation TrustManager validation strategy (HttpsURLConnection OkHttp3)
  4. Custom HostnameVerifier and X509TrustManager implement verification
  5. Validation in third-party libraries such as CertificatePinner in OkHttp3
  6. When the WebView loads the Https page, the certificate verification fails, and the loading stops

The following figure shows the common methods to implement HTTPS certificate verification:

The following diagram shows the relationships between some of the classes that describe certificate validation provided by JSSE’s reference manual.

(Docs.oracle.com/javase/6/do… )

The SSLSocket object is managed using SSLSocketFactory. The SSLSocketFactory object depends on SSLContext. Initialization of the SSLContext object requires keyManager, TrustManager, and SecureRandom.

The SSLSocket object is managed using SSLSocketFactory. The SSLSocketFactory object depends on SSLContext. Initialization of the SSLContext object requires keyManager, TrustManager, and SecureRandom. The TrustManager object is what we will care about later, because it is the TrustManager that is responsible for certificate verification and website authentication. In order to ensure that the data is not captured by the middleman for packet analysis, it is necessary to implement this class for verification to ensure the security of the data.

The TrustManager class is responsible for verifying certificates during the whole process. You can rewrite the TrustManager class to verify the certificate pairs or not to verify the certificates.

Take the HttpsURLConnection custom implementation X509TrustManager as an example, which has three validation methods. The following code is not implemented.

public class MyX509TrustManager implements X509TrustManager{ @Override public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {// Verification is not implemented} @Override public void checkServerTrusted(X509Certificate[]  chain, String authType) throws CertificateException {// CertificateException is not implemented} @Override public X509Certificate[] getAcceptedIssuers() { Return new X509Certificate[] {}; return new X509Certificate[] {}; }}Copy the code

Using customized TrustManager to initialize the SSLContext, finally call the HttpsURLConnection setDefaultSSLSocketFactory in link target url came for certificate authentication.

// Get your own X509TrustManager object TrustManager[] managers = {new MyX509TrustManager()}; SSLContext sc = sslContext.getInstance ("TLS"); // Initialize SSLContext. The second parameter is trustManager sc.init(null, Managers, new SecureRandom()); javax.net.ssl.SSLSocketFactory sslSocketFactory = sc.getSocketFactory(); / / setDefaultSSLSocketFactory as for the verification of the certificate in the HttpsURLConnection function need to SSLSocketFactory objects HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); / / setDefaultHostnameVerifier as for the verification of the certificate in the HttpsURLConnection function need to implement HostnameVerifier object HttpsURLConnection.setDefaultHostnameVerifier(new MyHostnameVerifier()); HttpsURLConnection conn = (HttpsURLConnection) new URL("https://www.baidu.com").openConnection();Copy the code

2. Certificate bypass on android (JustTrustMe&SSLkiller)

In packet capture analysis, the app with certificate verification usually does not capture any data, which is a problem for reverse personnel. However, there are two tools on Xopsed that can bypass certificate verification and achieve the purpose of capturing data successfully for specific interface analysis. \

As we have seen before, the key to certificate verification is the TrustManager, which is the starting point to bypass certificate verification. This is what the bypass plug-in for certificate verification on XPSOed does.

Currently the more popular two xposed based bypass certificate verification module has two JustTrustMe and SSLkiller, for HttpClient, HttpsURLConnection, OkHttp framework of their certificate verification function,

These tools hook these key functions, either by replacing the TrustManager(trust all certificates) or by directly invalidating its validation function (function replacement, no validation).

Note: when a custom implementation SSLSocketFactory HttpClient realization is org. Apache. HTTP. Conn. SSL. The SSLSocketFactory SSLSocketFactory package, While the HttpsURLConnection is javax.net.ssl.SSLSocketFactory SSLSocketFactory in the package.

Two key functions related to bypassing certificate verification by hook plug-ins are shown as follows:

3. Security Protection – How should app developers deal with certificate bypass?

Detection: in order to protect their app protocol is not easy to reverse crack, you need to detect these two tools, in the detection of how to deal with, depends on your mood!!

Check the Xposed framework, certificate verification bypass module (check if the dex loaded in proc/pid/maps includes key package names just-trust. me and com.lyf.jason. Sslkiller) :

Take detecting JustTurstMe as an example (same as SSLKiller)

1. Obtain the list of installed apps and check whether the target package name is included

2. Read /proc/ppid /maps (which can be implemented in native, increasing the difficulty of reverse), and judge whether the target dex is loaded in the app

4. Harm caused by protocol capture

Activities in recent years, many businesses are doing initial, registered interface (some registered interface don’t even need a phone number, you just need to provide mail, registered cost very low) be cracked, lead to be malicious registered, used to reward new users of a red envelope or reward coupons, had been divided these fake users. While most register new user interface also are dependent on the mobile phone number, but there are a lot of once registered agreement be cracked illegal service platform will provide the concatenated codes, the crack after the registration agreement to register a new user cost may be a few cents, such as false registration, before one drop will have hundreds of thousands of fake users.

5. Other thinking extension of security protection

5·1 Bypass tool vulnerabilities

These two unhooked detection methods are used to verify the certificate. By analyzing the two certificate verification bypass plug-ins, we find that they do not hook bypass processing for the way that the developers use the OkHttp framework to customize HostnameVerify and sslSocketFactory function to implement certificate verification.

So when using OkHttp third-party libraries, you can set this up by using a custom HostnameVerify or custom SSLSocketFactory and X509TrustManager after calling SSLSocketFactory function. To avoid getting caught. The detection code is as follows:

OkHttpClient.Builder builder = new OkHttpClient.Builder(); // Customize SSLSocketFactory and X509TrustManager Builder. SSLSocketFactory(new TrustAllSSLSocketFactory(),new MyX509TrustManager()); builder.hostnameVerifier(new MyHostnameVerifier());Copy the code

5.2 Use of the Niche Network request framework

From the developer’s perspective, you can use a niche web request framework for a key protocol or for all protocols (both tools are not hooked)

5.3 Upgrading Regular Network Requests to the Latest Version

In addition, developers can bypass the detection of these two tools by analyzing the latest version of okHttp3 or other framework certificate verification source code, by playing a time difference.

5.4 Use with encryption

The measures to prevent packet capture are not secure. The key service parameters can be encrypted with the customized encryption and decryption algorithm, and the algorithm is not updated regularly. Prevent anyone from breaking through the protocol layer.