Pokemon GO 0.35.0: remove SSL pinning

If you have ever tried to sniff Pokemon Go network traffic through a proxy, maybe you was disappointed when Niantic Inc. has released the 0.31 version, adding SSL pinning to their apk. Let’s see how remove SSL pinning.

What is SSL pinning?

SSL Pinning is a method to secure communication. We all know that http is not secure, it can be intercepted by an attacker. So it was invented https, which encrypt every packet between the client and the server with a certificate, so that an attacker cannot sniff data using a man-in-the-middle attack.

Most of the apps today use https, but we are still able to sniff their network traffic. Why? Because many apps doesn’t use SSL pinning: they check that the connection is a https connection, but they don’t check that the SSL Certificate used to encrypt data is the one of the original server.

So an attacker can install the malicious certificate on the smartphone, use a proxy that encrypt data with the malicious certificate, and intercepting all. The app is communicating in a https connection, but not with the real server.

Pokemon Go, since v.0.31, uses SSL pinning, so it checks that the certificate used to encrypt data is the real one. If it discover that the certificate is not trusted, the app doesn’t start, showing a connection problem error.

pokemon go ssl pinning

Remove SSL pinning

If we were able to remove the SSL pinning, the app wouldn’t check for the right certificate.

But how to remove SSL pinning? Inspired by this article, I began to work on android apk, but instead of that article, Niantic Inc. has obfuscated better the .so library they used. So i worked on the Java code.

Do I need root access?

Nope, you need only apktool, and the android sdk.

Decompile the apk

First of all, we have to decompile the apk with apktool:

$ apktool d pokemon-go.apk 

It will create a directory with the apk decompiled in .smali code, the android machine language.

Decompile Pokemon Go apk

Remove SSL Pinning: the .smali code

We have to go in smali/com/nianticlabs/nia/network/, open NianticTrustManager.smali and comment these rows (157, 194, 226, 230, 234):

Pokemon Go remove SSL pinning

Pokemon Go remove SSL pinning 3

Pokemon Go remove SSL pinning 2

Recompile in apk

Now we need to recompile the apk. So, first of all:

$ apktool b pokemon-go 

where pokemon-go is the directory with all your previously decompiled code.

Recompile Pokemon Go apk

Now we have only to sign it with our keystore, install it on smartphone, et voila’, we can mitm and see the traffic:

Pokemon Go mitm proxy

Conclusion

Thanks for reading, as you can see it’s not so difficult to remove SSL pinning.

Be sure to share, and follow us also on Facebook, Google Plus, Tumblr, Twitter and Telegram



Cerca

Seguici

Live da Facebook
Live da Twitter
Seguici su Telegram
Canale InsiDevCode Telegram