Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to bypass Android SSL certificate verification. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

People who have worked hard in the security world for many years will still remember when using Android in the past, for example, the more important features are that you don't have to care about all SSL errors, and you can intercept and modify SSL communications at will. But you can't do that from now on. Why? Because most applications now check whether ssl certificate verification is issued by a valid trusted SSL certificate authority (CA). As testers, our main task is to check whether these certificates are verified, so I chose man-in-the-middle attack (MITM) to try to modify their communications. Techniques that can bypass Android SSL certificate verification checks:

1. Add a custom CA to the zone with the trust column

two。 Overwrite the encapsulated certificate with a custom CA certificate

3. Use Frida hook to bypass SSL certificate verification

4. Customize the reverse operation of certificate code.

Why would I choose to SSL MITM mobile applications? This is mainly because I need to use interceptor agents (such as BurpSuite or ZAP) in order to view and blur network service invocations for mobile applications. If an agent is used to intercept ssl traffic, the client's ssl connection will stop working. By default, self-signed certificates generated by tools such as Burp will have no trust chain, and when there is no way to verify the certificate, then all applications will not be able to do so and will not connect through insecure channels. So all of these goals are to get mobile applications to trust the certificates provided by the interceptor agent.

On how to bypass Android SSL certificate verification to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.