Android Hacking, Sandboxing, & Security Exploits

Frida SSL Pinning Bypass: Intercepting HTTPS Traffic on Any Android App (How-To Guide)

By Antigravity Research Published May 29, 2026 ⏱️ 6 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction to SSL Pinning and Why it Matters

SSL Pinning, or Certificate Pinning, is a security mechanism employed by applications to prevent Man-in-the-Middle (MITM) attacks. Instead of relying on the device’s trust store to validate server certificates, applications with SSL pinning explicitly ‘pin’ or hardcode specific certificates or public keys. This means the app will only trust a predefined certificate, rejecting any other certificate, even if it’s signed by a trusted Certificate Authority (CA) on the device. While enhancing security by preventing attackers from intercepting encrypted traffic via rogue CAs, it significantly complicates security testing, penetration testing, and reverse engineering efforts.

For security researchers and developers, intercepting an app’s HTTPS traffic is crucial for understanding its communication, identifying vulnerabilities, and debugging. When an app implements SSL pinning, traditional proxying methods (like setting up Burp Suite or OWASP ZAP with a trusted CA) fail, as the app actively rejects the proxy’s certificate. This is where dynamic instrumentation tools like Frida become indispensable.

Frida: Dynamic Instrumentation for Android

Frida is a powerful toolkit for dynamic instrumentation, allowing you to inject custom scripts into running processes on Windows, macOS, Linux, iOS, Android, and QNX. It enables you to hook into native functions, inspect memory, modify code, and, crucially for our purpose, bypass security mechanisms like SSL pinning by runtime modification of the app’s behavior. Frida works by injecting the V8 JavaScript engine into the target process, allowing you to write JavaScript code that interacts directly with the application’s runtime.

Prerequisites and Lab Setup

Before we dive into bypassing SSL pinning, ensure you have the following setup:

  • Rooted Android Device or Emulator: A rooted device is necessary to run the Frida server and access necessary permissions. Emulators like Android Studio’s AVD or Genymotion work well.
  • ADB (Android Debug Bridge): Essential for interacting with your Android device. Ensure it’s installed and configured on your host machine.
  • Frida-tools: Install Frida on your host machine: 
    pip install frida-tools

  • Frida-server: Download the correct Frida server binary for your device’s architecture (e.g., arm, arm64, x86) from Frida Releases. Push it to your device, make it executable, and run it.
  • Proxy Tool: Burp Suite Professional or Community Edition is highly recommended. Configure it to listen on all interfaces and set up your device’s Wi-Fi proxy to point to your host machine’s IP address and Burp’s listening port.
  • Proxy’s CA Certificate: Install your proxy’s CA certificate on your Android device. For Burp Suite, visit http://burp/cert in the device browser to download cacert.der, then install it as a user- or system-trusted certificate. For Android 7.0+ (Nougat) and above, apps by default only trust system CAs. You might need to root and move the Burp certificate to the system trust store (e.g., /system/etc/security/cacerts/) or target older Android versions.

Setting up Frida Server on Android:

  1. Download the appropriate frida-server binary for your device’s architecture from Frida Releases.
  2. Push it to your device: 
    adb push /path/to/frida-server /data/local/tmp/

  3. Make it executable and run it: 
    adb shell"chmod 755 /data/local/tmp/frida-server && /data/local/tmp/frida-server &"

The Frida SSL Pinning Bypass Script

SSL pinning implementations vary widely across applications, from custom checks to popular libraries like OkHttp. A robust bypass script needs to address multiple common pinning techniques. The following comprehensive Frida script aims to hook various Android API calls related to certificate validation, effectively disabling pinning for most scenarios.

frida_ssl_bypass.js

Java.perform(function() {    console.log("[*] Frida Loaded: Attempting to bypass SSL Pinning...");    // Common SSL Pinning Bypass Methods    // 1. TrustManager bypass (most common)    try {        var TrustManagerImpl = Java.use('com.android.org.conscrypt.TrustManagerImpl');        TrustManagerImpl.checkServerTrusted.implementation = function(chain, authType, host) {            console.log('[+] TrustManagerImpl.checkServerTrusted hooked for ' + host);            return; // Simply return, bypassing the check        };        console.log('[+] Hooked TrustManagerImpl.checkServerTrusted');    } catch (e) {        console.log('[-] TrustManagerImpl.checkServerTrusted hook failed: ' + e.message);    }    // 2. OkHttp3.x bypass    try {        var OkHttpClient = Java.use('okhttp3.OkHttpClient');        OkHttpClient.build.overload().implementation = function() {            console.log('[+] OkHttpClient.build hooked');            var okHttpClientBuilder = this.build();            okHttpClientBuilder.sslSocketFactory = Java.use('javax.net.ssl.SSLContext').getInstance('TLS').getSocketFactory();            okHttpClientBuilder.hostnameVerifier = Java.use('javax.net.ssl.HostnameVerifier').$new({                verify: function(hostname, session) {                    return true;                }            });            return okHttpClientBuilder;        };        console.log('[+] Hooked OkHttpClient.build');    } catch (e) {        console.log('[-] OkHttpClient.build hook failed: ' + e.message);    }    // 3. Apache HttpClient (legacy)    try {        var DefaultHttpClient = Java.use('org.apache.http.impl.client.DefaultHttpClient');        DefaultHttpClient.$init.overload('org.apache.http.conn.ClientConnectionManager', 'org.apache.http.params.HttpParams').implementation = function(ccm, params) {            console.log('[+] DefaultHttpClient hooked');            this.$init(ccm, params);            var SSLContext = Java.use('javax.net.ssl.SSLContext');            var TrustManager = Java.use('[Ljavax.net.ssl.TrustManager;');            var trustAllCerts = Java.array(TrustManager, [                Java.use('javax.net.ssl.X509TrustManager').$new({                    checkClientTrusted: function(chain, authType) {},                    checkServerTrusted: function(chain, authType) {},                    getAcceptedIssuers: function() {                        return Java.array('java.security.cert.X509Certificate', []);                    }                })            ]);            var sslcontext = SSLContext.getInstance('TLS');            sslcontext.init(null, trustAllCerts, null);            var SSLSocketFactory = Java.use('org.apache.http.conn.ssl.SSLSocketFactory');            var socketFactory = SSLSocketFactory.getSocketFactory();            socketFactory.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);            this.setSSLSocketFactory(sslcontext.getSocketFactory());            return this;        };        console.log('[+] Hooked DefaultHttpClient');    } catch (e) {        console.log('[-] DefaultHttpClient hook failed: ' + e.message);    }    // 4. WebView Client Bypass    try {        var WebViewClient = Java.use('android.webkit.WebViewClient');        WebViewClient.onReceivedSslError.overload('android.webkit.WebView', 'android.webkit.SslErrorHandler', 'android.net.http.SslError').implementation = function(view, handler, error) {            console.log('[+] WebViewClient.onReceivedSslError hooked');            handler.proceed(); // Ignore SSL errors            return;        };        WebViewClient.onReceivedHttpError.overload('android.webkit.WebView', 'android.webkit.WebResourceRequest', 'android.webkit.WebResourceResponse').implementation = function(view, request, errorResponse) {            console.log('[+] WebViewClient.onReceivedHttpError hooked');            return;        };        console.log('[+] Hooked WebViewClient.onReceivedSslError and onReceivedHttpError');    } catch (e) {        console.log('[-] WebViewClient hook failed: ' + e.message);    }    // 5. Trustkit bypass (if app uses it)    try {        var Trustkit = Java.use('com.datatheorem.android.trustkit.TrustKit');        Trustkit.is  DeveloperOverrideActive.overload().implementation = function() {            console.log('[+] TrustKit.isDeveloperOverrideActive hooked');            return true;        };        Trustkit.verifyServerHostname.overload('java.lang.String', 'java.lang.String', 'java.security.cert.X509Certificate[]').implementation = function(hostname, pinValidationResult, chain) {            console.log('[+] TrustKit.verifyServerHostname hooked');            return;        };        console.log('[+] Hooked TrustKit');    } catch (e) {        console.log('[-] TrustKit hook failed: ' + e.message);    }    console.log('[*] SSL Pinning bypass script loaded successfully.');});

Step-by-Step Guide to Bypassing SSL Pinning

  1. Ensure Frida Server is Running: Confirm that the Frida server is running on your Android device (as detailed in the

    Android Mobile Specs & Compare Directory

    Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

    Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Security #Frida #Penetration Testing #Reverse Engineering #SSL Pinning Bypass

Related Technical Guides

Troubleshooting ASLR Bypass: Debugging Common Android ARM64 Exploit Failures

May 30, 2026

Building Malicious Trusted Applications: Crafting PoC Exploits for Android TrustZone

May 29, 2026

How to Identify & Exploit Android Binder IPC Vulnerabilities: A Step-by-Step Lab

May 30, 2026