Spinner: Semi-Automatic Detection of Pinning without Hostname verification
Tool to enable black box detection of applications that pin to non-leaf TLS certificates and fail to carry out hostname verification. It can also be used to detect apps that have the same issue but do not pin, or indeed apps that will accept any certificate (such as self-signed).
Spinner analyses the certificate chain of the requested domains and redirects TLS traffic to other sites, which it finds on Censys.io, that use the same certificate chain. The handshake is then proxied to determine if encrypted application data is sent by the app to the domain that the app is not expecting.
For more details see our paper
javac -cp .:libs/* *.java
javac -cp ".;libs/*" *.java
- Set DNS of mobile device to use IP of machine running Spinner e.g. In android: WiFi -> Modify Network -> Advanced -> IP Settings, Static -> DNS
- Run Spinner on machine with access point e.g. hostapd. Connect testing device to AP running Spinner.
sudo java -cp .:libs/* Launcher --help
java -cp ".;libs/*" Launcher --help
(Note: root is required as a TLS and DNS server are ran on privileged ports)
The program requires a config file which contains the IP address of the DNS server on your network, and the credentials to use with Censys.io. You will need to sign up for an account here https://censys.io/register.
Run the tool with config details specified in the file
config and ignore connections to domains listed in
sudo java -cp .:libs/* Launcher -c config -w whitelist
Run the tool without using Censys by manually specifying a redirect domain.
sudo java -cp .:libs/* Launcher -m google.com
Disclaimer: This tool is intended for research use, and is currently undergoing further development. We welcome any feedback which can be provided by raising issues or pull requests.