If you have ever tried to sniff Pokemon Go network traffic through a proxy, maybe you was disappointed when Niantic Inc. has released the 0.31 version, adding SSL pinning to their apk. Let’s see how remove SSL pinning.
SSL Pinning is a method to secure communication. We all know that http is not secure, it can be intercepted by an attacker. So it was invented https, which encrypt every packet between the client and the server with a certificate, so that an attacker cannot sniff data using a man-in-the-middle attack.
Most of the apps today use https, but we are still able to sniff their network traffic. Why? Because many apps doesn’t use SSL pinning: they check that the connection is a https connection, but they don’t check that the SSL Certificate used to encrypt data is the one of the original server.
So an attacker can install the malicious certificate on the smartphone, use a proxy that encrypt data with the malicious certificate, and intercepting all. The app is communicating in a https connection, but not with the real server.
Pokemon Go, since v.0.31, uses SSL pinning, so it checks that the certificate used to encrypt data is the real one. If it discover that the certificate is not trusted, the app doesn’t start, showing a connection problem error.
If we were able to remove the SSL pinning, the app wouldn’t check for the right certificate.
But how to remove SSL pinning? Inspired by this article, I began to work on android apk, but instead of that article, Niantic Inc. has obfuscated better the .so library they used. So i worked on the Java code.
Nope, you need only apktool, and the android sdk.
First of all, we have to decompile the apk with apktool:
$ apktool d pokemon-go.apk
It will create a directory with the apk decompiled in .smali code, the android machine language.
We have to go in smali/com/nianticlabs/nia/network/, open NianticTrustManager.smali and comment these rows (157, 194, 226, 230, 234):
Now we need to recompile the apk. So, first of all:
$ apktool b pokemon-go
where pokemon-go is the directory with all your previously decompiled code.
Now we have only to sign it with our keystore, install it on smartphone, et voila’, we can mitm and see the traffic:
Thanks for reading, as you can see it’s not so difficult to remove SSL pinning.