Pokemon GO 0.35.0: remove SSL pinning

If you have ever tried to sniff Pokemon Go network traffic through a proxy, maybe you was disappointed when Niantic Inc. has released the 0.31 version, adding SSL pinning to their apk. Let’s see how remove SSL pinning.

What is SSL pinning?

SSL Pinning is a method to secure communication. We all know that http is not secure, it can be intercepted by an attacker. So it was invented https, which encrypt every packet between the client and the server with a certificate, so that an attacker cannot sniff data using a man-in-the-middle attack.

Most of the apps today use https, but we are still able to sniff their network traffic. Why? Because many apps doesn’t use SSL pinning: they check that the connection is a https connection, but they don’t check that the SSL Certificate used to encrypt data is the one of the original server.

So an attacker can install the malicious certificate on the smartphone, use a proxy that encrypt data with the malicious certificate, and intercepting all. The app is communicating in a https connection, but not with the real server.

Pokemon Go, since v.0.31, uses SSL pinning, so it checks that the certificate used to encrypt data is the real one. If it discover that the certificate is not trusted, the app doesn’t start, showing a connection problem error.

Remove SSL pinning

If we were able to remove the SSL pinning, the app wouldn’t check for the right certificate.

But how to remove SSL pinning? Inspired by this article, I began to work on android apk, but instead of that article, Niantic Inc. has obfuscated better the .so library they used. So i worked on the Java code.

Do I need root access?

Nope, you need only apktool, and the android sdk.

Decompile the apk

First of all, we have to decompile the apk with apktool:

$ apktool d pokemon-go.apk

It will create a directory with the apk decompiled in .smali code, the android machine language.

Remove SSL Pinning: the .smali code

We have to go in smali/com/nianticlabs/nia/network/, open NianticTrustManager.smali and comment these rows (157, 194, 226, 230, 234):

Recompile in apk

Now we need to recompile the apk. So, first of all:

$ apktool b pokemon-go

where pokemon-go is the directory with all your previously decompiled code.

Now we have only to sign it with our keystore, install it on smartphone, et voila’, we can mitm and see the traffic:

Conclusion

Thanks for reading, as you can see it’s not so difficult to remove SSL pinning.

Be sure to share, and follow us also on Facebook, Google Plus, Tumblr, Twitter and Telegram

Correlati

Cerca

Live da Facebook

Live da Twitter

Tweets by @Insidevcode

Seguici su Telegram

InsiDevCode è distribuito con Licenza Creative Commons Attribuzione - Non commerciale - Condividi allo stesso modo 4.0 Internazionale.
Tutti i contenuti presenti all'interno del blog possono quindi essere utilizzati a patto di citare sempre https://www.insidevcode.eu/ come fonte ed inserire un link o un collegamento visibile.
Permessi ulteriori rispetto alle finalità della presente licenza possono essere disponibili presso Permessi e Blog Policy.
Il team InsiDevCode non è responsabile dei contenuti dei siti in collegamento, della qualità o correttezza dei dati forniti da terzi. Si riserva pertanto la facoltà di rimuovere informazioni ritenute offensive o contrarie al buon costume. Eventuali segnalazioni possono essere inviate a insidevcode@gmail.com.

Pokemon GO 0.35.0: remove SSL pinning

What is SSL pinning?

Remove SSL pinning

Do I need root access?

Decompile the apk

Remove SSL Pinning: the .smali code

Recompile in apk

Conclusion

Correlati

Creative Commons

LINK UTILI

INFO

Tags

Tag

Pokemon GO 0.35.0: remove SSL pinning

What is SSL pinning?

Remove SSL pinning

Do I need root access?

Decompile the apk

Remove SSL Pinning: the .smali code

Recompile in apk

Conclusion

Condividi il post:

Correlati

Creative Commons

LINK UTILI

INFO

Tags

Tag