The Uber application for Android has SSL pinning enabled which means they have a hardcoded set of trusted certificates stored in the APK file. This means it will only allow TLS connections to hosts signed with these certificates. For example, if you try to listen for TLS traffic coming from the Uber app using Burp Suite, a web security tool, you will see nothing as the Burp self signed certificate is not trusted by the Uber app.
Here are some very rough notes describing how to workaround SSL pinning that is implemented in Uber apps for Android. The general idea is that we’ll decompile the APK, add the Burp certificate into the password protected keystore for the app, and finally recompile a new version of the app.
- Make a working directory and move to it
mkdir ~/uber && cd ~/uber
- Download Burp Suite and export certificate to ~/uber/burp.cer
- Convert Burp certificate to PEM format
openssl x509 -inform der -in burp.cer -out burp.pem
- Download Bouncy Castle jar (e.g. bcprov-jdk15on-157.jar) to ~/uber/bc.jar. This is used to add the Burp certificate into the Uber app keystore.
- Download Zipalign to ~/uber/zipalign. This is used to align the APK file after rebuilding it with the new certificate.
- Download Apktool to ~/uber/apktool.jar. This is used to decompile and recompile the APK.
- Download jd-gui. This is used to decompile APK into Java source files. This makes it possible to search for the keystore password.
- Download a copy of the Uber app APK file (in this case I’m using Uber Eats app) to ~/uber/uber_eats.apk
- First decompile the Uber app with apktool
java -jar apktool.jar decode uber_eats.apk cd uber_eats/res/raw
- You’ll need to find the password for keystore ssl_pinning_certs_bk146.bks in this directory. For example in v1.75.1 of app, the password is sMdqVqJBdBmmkDMp6BK7EVeEkHcNbJ. To find this password, I used jd-gui to decompile APK back into Java files and searched for ssl_pinning_certs_bk146.
- Now execute java keytool to import burp certificate into Uber keystore.
keytool -import -v -trustcacerts -alias workaround -file ~/uber/burp.pem -keystore ssl_pinning_certs_bk146.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath ~/uber/bc.jar
- Move back to main directory, use apktool to build, sign the APK and align it.
cd ../.. java -jar ../apktool.jar build . -o ../modified_uber_eats.apk jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore modified_uber_eats.apk alias_name jarsigner -verify -verbose -certs modified_uber_eats.apk ./zipalign -v 4 modified_uber_eats.apk modified_uber_eats-aligned.apk
- Now copy this APK to your Android phone and setup Burp to intercept traffic