user@host:~/downloads/app$ ls app.apk user@host:~/downloads/app$ git clone -q git@github.com:acritox/sslhack.git user@host:~/downloads/app$ cd sslhack user@host:~/downloads/app/sslhack$ ./fake_certificate.bash api.example.com Generating RSA private key, 1024 bit long modulus .........++++++ ................++++++ e is 65537 (0x10001) Getting request Private Key Generating certificate request Certificate Request: Data: (...) Signature Algorithm: sha1WithRSAEncryption 95:a1:2f:38:0d:91:1a:39:c4:d9:3e:50:cd:a0:b5:df:02:3a: f2:8d:1d:31:47:f3:b6:95:0d:93:ea:d6:40:f2:1c:8a:bb:51: dd:98:d5:3e:b4:64:1a:05:75:0b:84:e7:f1:cd:a0:ff:7e:20: c3:5e:a0:53:b9:31:75:8d:b4:e8:65:37:72:27:77:6b:40:ad: 7e:0e:0e:fa:48:83:dc:b0:2c:02:ae:17:41:43:ec:bc:ce:12: 5e:30:c8:7c:c4:47:af:5a:79:64:32:16:22:18:04:cc:b2:76: b8:95:3e:58:6d:eb:eb:80:01:5b:55:ba:8d:b3:9c:8c:61:cf: da:c1 Generating RSA private key, 1024 bit long modulus ...........++++++ ........++++++ e is 65537 (0x10001) Using configuration from tmpCA/ca.cnf Check that the request matches the signature Signature ok Certificate Details: (...) user@host:~/downloads/app/sslhack$ ./replace_apk_bks_cert.bash ../app.apk ../app.apk +-- res/raw/app_ca.bks | +-- app_ca user@host:~/downloads/app/sslhack$ ./replace_apk_bks_cert.bash ../app.apk res/raw/app_ca.bks app_ca fake-api.example.com.crt (...) Trust this certificate? [no]: yes Certificate was added to keystore /tmp/tmp.9HETBZa832.zip: total 12996 -rw-r--r-- 1 user user 13304707 Mar 8 14:23 apk.zip drwxr-xr-x 3 user user 60 Mar 8 14:23 res /tmp/tmp.9HETBZa832.zip/res: total 0 drwxr-xr-x 2 user user 40 Mar 8 14:23 raw /tmp/tmp.9HETBZa832.zip/res/raw: total 0 updating: res/raw/app_ca.bks (deflated 15%) ../app.fakecrt.apk created. You can sign it with: ./replace_apk_bks_cert.bash --sign ../app.fakecrt.apk [ []] user@host:~/downloads/app/sslhack$ ./replace_apk_bks_cert.bash --sign ../app.fakecrt.apk --2014-03-08 14:23:22-- http://pof.eslack.org/archives/files/signapk.jar Resolving pof.eslack.org (pof.eslack.org)... 178.79.145.151 Connecting to pof.eslack.org (pof.eslack.org)|178.79.145.151|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 7369 (7.2K) [application/java-archive] Saving to: `signapk.jar' 100%[==========================================================================================================================================>] 7,369 --.-K/s in 0s 2014-03-08 14:23:22 (45.0 MB/s) - `signapk.jar' saved [7369/7369] Generating RSA private key, 1024 bit long modulus .........................++++++ .............................................++++++ e is 65537 (0x10001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- (...) Common Name (e.g. server FQDN or YOUR name) []:example.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Signature ok subject=CN=example.com Getting Private key ../app.fakecrt.signed.apk created. user@host:~/downloads/app/sslhack$ ls .. app.apk app.fakecrt.apk app.fakecrt.crt app.fakecrt.pk8 app.fakecrt.signed.apk sslhack user@host:~/downloads/app/sslhack$ cp ../app.fakecrt.signed.apk ~/Dropbox/ user@host:~/downloads/app/sslhack$ host api.example.com api.example.com has address 123.123.123.123 user@host:~/downloads/app/sslhack$ su -p # or "sudo -s" for ubuntu Password: root@yakahino:~/downloads/app/sslhack# echo 1 > /proc/sys/net/ipv4/ip_forward root@yakahino:~/downloads/app/sslhack# iptables -t nat -A PREROUTING -d 123.123.123.123/32 -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 443 root@yakahino:~/downloads/app/sslhack# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE root@yakahino:~/downloads/app/sslhack# ./ssl_mitm.py 443 fake-api.example.com.crt fake-api.example.com.key 123.123.123.123 Listening for connections on 0.0.0.0:443 ...