FORUMS
Remove All Ads from XDA

TrustMeAlready - Disable SSL verification and pinning on Android

386 posts
Thanks Meter: 814
 
By ViRb3, Senior Member on 10th March 2019, 10:08 PM
Post Reply Email Thread
An Xposed module to disable SSL verification and pinning on Android using the excellent technique provided by Mattia Vinci.
The effect is system-wide.
Useful for various security audits.

GitHub repository | Xposed repository
The Following User Says Thank You to ViRb3 For This Useful Post: [ View ] Gift ViRb3 Ad-Free
 
 
11th March 2019, 12:04 AM |#2  
Senior Member
Thanks Meter: 579
 
Donate to Me
More
Nice module. Could this be done in Magisk?
11th March 2019, 12:25 AM |#3  
Zeuszoos's Avatar
Senior Member
Thanks Meter: 231
 
More
Quote:
Originally Posted by ViRb3

An Xposed module to disable SSL verification and pinning on Android using the excellent technique provided by Mattia Vinci.
The effect is system-wide.
Useful for various security audits.

GitHub repository | Xposed repository

Okay, but why would I want to disable it and what is pinning?

Posted from my way cool LG V20 (H910) Nougat 7.0
The Following User Says Thank You to Zeuszoos For This Useful Post: [ View ] Gift Zeuszoos Ad-Free
11th March 2019, 01:08 AM |#4  
ViRb3's Avatar
OP Senior Member
Thanks Meter: 814
 
More
Quote:
Originally Posted by joluke

Nice module. Could this be done in Magisk?

Probably, but that would be very overkill. The EdXposed framework (which can load this module) is based on Magisk and passes SafetyNet, check it out.

Quote:
Originally Posted by Zeuszoos

Okay, but why would I want to disable it and what is pinning?

Posted from my way cool LG V20 (H910) Nougat 7.0

It comes into play when analyzing encrypted traffic from apps, e.g. malware. First, here's some resources that explain how to analyze traffic: https://en.wikipedia.org/wiki/Man-in-the-middle_attack, https://security.stackexchange.com/q...y-proxy-server

Basically, you would need to proxy traffic to your computer and replace the server certificate with your own one (that you can decrypt). However, Android won't recognize that homemade certificate and reject it. To prevent this, sometimes you can import it in your phone's settings. But then there's certificate pinning, which forces an app to use ONLY the specified certificate and nothing else. So even if you add your hommade certificate to the trusted list, it will still be different and thus rejected. This module gets rid of both problems by making Android accept any certificate without verification. Needless to say, this is extremely insecure, but for our purposes it saves a ton of effort
The Following 4 Users Say Thank You to ViRb3 For This Useful Post: [ View ] Gift ViRb3 Ad-Free
13th March 2019, 08:05 PM |#5  
david6910's Avatar
Senior Member
Thanks Meter: 41
 
More
Thanks you very much for this! I love it, I can see all the ssl data
Post Reply Subscribe to Thread

Tags
android, bypass, ssl, verification, xposed

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes