Android App Penetration Testing & Frida Hooks

Custom Frida Scripts: Tailoring OkHttp3 SSL Pinning Bypass for Unique Android Applications

By Antigravity Research Published May 29, 2026 ⏱️ 4 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction to SSL Pinning and its Challenges

SSL Pinning is a security mechanism implemented by mobile applications to prevent man-in-the-middle (MitM) attacks. Instead of trusting any certificate signed by a trusted root Certificate Authority (CA), the application ‘pins’ specific certificates or public keys that it expects to see from the server. If the server presents a certificate that doesn’t match the pinned ones, the connection is terminated, even if the certificate is otherwise valid and signed by a trusted CA. This mechanism is crucial for securing sensitive data transmission in Android applications.

OkHttp3 is a widely used HTTP client for Android and Java applications, known for its efficiency and robust feature set, including built-in support for SSL pinning via its CertificatePinner class. While standard proxy tools like Burp Suite or OWASP ZAP can easily intercept traffic from applications that don’t implement pinning, they fail against pinned applications because the application rejects the proxy’s self-signed (or custom CA-signed) certificate.

The Limitations of Generic Frida Bypass Scripts

For penetration testers, bypassing SSL pinning is often a prerequisite for analyzing application network traffic. Tools like Frida, a dynamic instrumentation toolkit, are invaluable for this purpose. Generic Frida scripts, such as those found in `frida-multiple-unpinning` or built into `objection` (Frida’s runtime mobile exploration toolkit), attempt to hook common SSL/TLS classes and methods across various frameworks (e.g., `TrustManager`, `HostnameVerifier`, `X509TrustManager`).

While these generic scripts are effective for many applications, they often fall short when dealing with highly customized or obfuscated OkHttp3 implementations. Reasons for failure include:

  • **Specific OkHttp3 Usage:** Applications might instantiate CertificatePinner in non-standard ways, or configure it deeply within their code logic, making it difficult for generic hooks to catch all instances.
  • **Obfuscation:** Tools like ProGuard or DexGuard rename classes and methods, rendering static string-based hooks ineffective.
  • **Dynamic Class Loading:** Pinning logic might be loaded dynamically at runtime, after initial Frida attachment.
  • **Multiple Pinning Layers:** Some applications combine OkHttp3 pinning with other mechanisms (e.g., TrustKit, custom `X509TrustManager` implementations), requiring a multi-pronged bypass approach.

When generic scripts fail, a tailored, custom Frida script becomes necessary, demanding a deeper understanding of the application’s internal workings and OkHttp3’s pinning mechanisms.

Understanding OkHttp3’s SSL Pinning Mechanisms

OkHttp3 primarily relies on the CertificatePinner class for SSL pinning. This class allows developers to declare specific hashes of certificates or public keys for given hostnames. During an SSL handshake, CertificatePinner verifies that one of the peer’s certificates matches a configured pin.

CertificatePinner Deep Dive

The core of OkHttp3’s pinning lies in the okhttp3.CertificatePinner class. When an `OkHttpClient` instance is built with a `CertificatePinner`, its `check` method is invoked during the TLS handshake for every connection. The primary method targeted for bypass is typically:

public void check(String hostname, List<Certificate> peerCertificates)

This method iterates through the provided `peerCertificates` and compares their public key hashes against the pins configured for the `hostname`. If no match is found, a `SSLPeerUnverifiedException` is thrown, terminating the connection.

OkHostnameVerifier (Brief Mention)

While `CertificatePinner` handles the strict pinning logic, `okhttp3.internal.tls.OkHostnameVerifier` is responsible for standard hostname verification, ensuring that the certificate’s subject alternative names (SANs) or common name (CN) match the requested hostname. While crucial for overall TLS security, bypassing `CertificatePinner` is usually sufficient for defeating SSL pinning, as `OkHostnameVerifier` typically doesn’t prevent proxies from working if the proxy’s certificate is otherwise valid for the hostname.

Step-by-Step Custom Frida Script Development

Developing a custom Frida script involves initial reconnaissance, crafting the hook, and handling advanced scenarios.

Phase 1: Initial Reconnaissance

Before writing any Frida code, you need to understand how the target application uses OkHttp3. This typically involves decompiling the APK.

  1. **Decompile the APK:** Use tools like Jadx or Ghidra to get a readable source code representation.
  2. **Search for OkHttp3 Usage:** Look for key classes and methods related to OkHttp3. Specifically search for:
    • `okhttp3.OkHttpClient.Builder`
    • `okhttp3.CertificatePinner`
    • `build()` methods on `OkHttpClient.Builder`
# Example Jadx command to decompile an APKjadx -d output_dir com.example.app.apk# Inside the decompiled source, search for CertificatePinner usage:# grep -r

        
        
        

            

                
            

            

                
Android Mobile Specs & Compare Directory

                
Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

                Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android #Frida #OkHttp3 #Penetration Testing #SSL Pinning Bypass

Related Technical Guides

Stealth Exfiltration: Techniques for Undetectable Data Siphoning from Android Apps using Frida

May 29, 2026

Frida for Android Pentesters: Modifying Runtime Behavior via Argument/Return Hooks

May 30, 2026

Troubleshooting Frida Hooks: When Shared Preferences Interception Fails

May 30, 2026