Introduction to SSL Pinning and its Bypass

SSL (Secure Sockets Layer) Pinning, often referred to as certificate pinning, is a security mechanism implemented by developers within Android applications to prevent man-in-the-middle (MITM) attacks. By ‘pinning’ a specific certificate or public key within the application code, the app ensures that it only communicates with a server presenting one of those trusted certificates, even if the device’s trust store contains other valid certificates from a rogue or proxy CA.

While this enhances security for end-users, it poses a significant challenge for security researchers, penetration testers, and reverse engineers who need to intercept and analyze encrypted network traffic for vulnerability assessment, debugging, or understanding application behavior. Bypassing SSL pinning is a critical skill in Android app security analysis, allowing tools like Burp Suite or OWASP ZAP to function effectively.

Prerequisites for Bypassing SSL Pinning

Before diving into the techniques, ensure you have the following setup:

• Rooted Android Device or Emulator: Necessary for installing Frida-server, modifying system files, or installing Magisk modules.
• ADB (Android Debug Bridge): For connecting to your device/emulator and pushing/pulling files, executing shell commands.
• Frida: A dynamic instrumentation toolkit for developers, reverse engineers, and security researchers.
• Frida-tools: Python tools for interacting with Frida. Install via pip install frida-tools.
• Proxy Tool: Burp Suite (Community/Pro) or OWASP ZAP for intercepting and analyzing HTTP/S traffic.
• Device/Emulator with Network Configuration: Configured to route traffic through your proxy tool.

Understanding How SSL Pinning Works

When an application implements SSL pinning, it typically performs one of two checks:

1. Certificate Pinning: The application bundles a copy of the server’s X.509 certificate and compares it against the certificate presented by the server during the TLS handshake.
2. Public Key Pinning: The application extracts the public key from the server’s certificate and compares it against a pre-defined public key hash.

If the presented certificate or public key does not match the pinned one, the connection is aborted, even if the certificate is otherwise trusted by the device’s operating system.

Method 1: Dynamic Instrumentation with Frida

Frida is the most versatile and powerful tool for bypassing SSL pinning dynamically. It allows you to inject custom scripts into running processes and modify their behavior at runtime.

Step 1: Install Frida-Server on your Android Device/Emulator

Download the appropriate Frida-server binary for your device’s architecture (e.g., frida-server-*-android-arm64) from the official Frida releases page on GitHub. Push it to your device and start it:

adb push /path/to/frida-server /data/local/tmp/frida-serveradb shell 'chmod 755 /data/local/tmp/frida-server'adb shell '/data/local/tmp/frida-server &'

Step 2: Configure Proxy on your Device

Set up your Android device’s Wi-Fi proxy settings to point to your Burp Suite or ZAP listener (e.g., your host machine’s IP address and the proxy’s listening port, typically 8080).

Step 3: Install Proxy’s CA Certificate

To inspect HTTPS traffic, your device needs to trust your proxy’s CA certificate. Navigate to http://burp/cert (for Burp Suite) or http://zap/ (for ZAP) in your device’s browser, download the certificate, and install it as a user-supplied CA. On Android 7+, this often requires rooting and moving the certificate to the system trust store (/system/etc/security/cacerts/).

# Example for moving Burp CA cert to system trust store (requires root/Magisk)adb pull /data/misc/user/0/com.android.settings/files/cacerts-added/<hash>.0 adb push <hash>.0 /sdcard/burp.ceropenssl x509 -inform DER -in burp.cer -out burp.pemopenssl x509 -inform PEM -subject_hash_old -in burp.pem | head -1 # get hashcat burp.pem > <hash>.0adb rootadb remountadb push <hash>.0 /system/etc/security/cacerts/adb shell 'chmod 644 /system/etc/security/cacerts/<hash>.0'adb reboot

Step 4: Use a Frida SSL Unpinning Script

There are several universal Frida scripts available that hook into common SSL/TLS libraries (e.g., OkHttp, TrustManager, OpenSSL, Conscrypt) to bypass pinning checks. A popular generic script can be found on CodeShare or GitHub. Save such a script (e.g., frida_bypass.js) on your host machine.

Here’s a simplified example of what such a script might target:

// frida_bypass.jsJava.perform(function () {    console.log("[*] Starting SSL pinning bypass...");    var TrustManager = Java.use('javax.net.ssl.X509TrustManager');    var TrustManagerImpl = Java.use('com.android.org.conscrypt.Platform$TrustManagerImpl');    var Activity = Java.use("android.app.Activity");    var Application = Java.use("android.app.Application");    // Bypass for OkHttp3    try {        var OkHttpClient = Java.use('okhttp3.OkHttpClient');        OkHttpClient.$init.overload('okhttp3.OkHttpClient$Builder').implementation = function (builder) {            builder.sslSocketFactory.value = Java.use('javax.net.ssl.SSLContext').getInstance("TLS").getSocketFactory();            builder.hostnameVerifier.value = Java.cast(Java.use("javax.net.ssl.HostnameVerifier").$new(), Java.use("javax.net.ssl.HostnameVerifier"));            return this.$init(builder);        };        console.log("[+] OkHttp3 hooks applied");    } catch (e) {        console.log("[-] OkHttp3 not found or failed: " + e.message);    }    // Bypass for various TrustManagers    var array_list = Java.use("java.util.ArrayList");    var TrustManager_Array = Java.array('javax.net.ssl.X509TrustManager', []);    var SSLContext = Java.use('javax.net.ssl.SSLContext');    SSLContext.init.overload('[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom').implementation = function (keyManagers, trustManagers, secureRandom) {        console.log("[+] Hooking SSLContext.init");        return this.init(keyManagers, TrustManager_Array, secureRandom);    };    var HttpsURLConnection = Java.use('javax.net.ssl.HttpsURLConnection');    HttpsURLConnection.setDefaultSSLSocketFactory.implementation = function(sslSocketFactory) {        console.log("[+] HttpsURLConnection.setDefaultSSLSocketFactory hooked");        return this.setDefaultSSLSocketFactory(Java.use('javax.net.ssl.SSLContext').getInstance("TLS").getSocketFactory());    };    HttpsURLConnection.setSSLSocketFactory.implementation = function(sslSocketFactory) {        console.log("[+] HttpsURLConnection.setSSLSocketFactory hooked");        return this.setSSLSocketFactory(Java.use('javax.net.ssl.SSLContext').getInstance("TLS").getSocketFactory());    };    console.log("[*] SSL pinning bypass finished.");});

Step 5: Run Frida to Inject the Script

Identify the package name of the target application (e.g., com.example.app). Then execute Frida:

frida -U -f com.example.app -l frida_bypass.js --no-pause

-U specifies a USB device (your connected Android device). -f spawns the application and injects the script. -l loads your bypass script. --no-pause ensures the app starts immediately after injection. Observe the output in your terminal and your proxy tool. You should now see the application’s HTTPS traffic flowing through Burp/ZAP.

Method 2: Using Objection (Frida-Based Framework)

Objection is a runtime mobile exploration toolkit powered by Frida. It simplifies many common tasks, including SSL pinning bypass.

Step 1: Install Objection

pip install objection

Step 2: Inject and Bypass

Start your target application and then use objection:

objection --gadget "com.example.app" explore

Once inside the objection shell, execute the SSL unpinning command:

android sslpinning disable

Objection will automatically apply Frida hooks to common pinning implementations. This method is often quicker and simpler for standard cases.

Method 3: Magisk Modules (for System-Wide Bypass)

For a more persistent and system-wide bypass (especially on Android 7+ where user-installed CAs are not trusted by default by many apps), Magisk modules can be effective.

TrustMeAlready

This Magisk module attempts to disable SSL pinning for a wide range of common implementations across all applications on the device. It modifies the Android framework to trust user-installed CA certificates system-wide.

1. Install Magisk on your rooted device.
2. Download the TrustMeAlready Magisk module (or similar, like a universal Android SSL unpinning module).
3. Install the module through the Magisk Manager app.
4. Reboot your device.
5. Ensure your proxy’s CA certificate is installed as a user certificate.

This method can be less granular than Frida’s targeted approach but is highly effective if it supports the app’s pinning implementation.

Troubleshooting Common Issues

• Frida-Server not running/connecting: Ensure the correct architecture binary is used, permissions are set (chmod 755), and no other instance is running. Check adb logcat for errors.
• App crashes after Frida injection: The Frida script might be incompatible with the app’s specific implementation or the app has anti-Frida/anti-tampering mechanisms. You may need to refine the Frida script or use anti-anti-Frida techniques.
• Still seeing SSL errors in proxy: Verify your proxy settings on the device and ensure the proxy’s CA certificate is correctly installed and trusted by the system (especially on Android 7+ where apps often don’t trust user-installed CAs).
• Objection not working: Ensure Frida-server is running. Objection relies on Frida.

Conclusion

Bypassing Android SSL pinning is a crucial skill for anyone involved in mobile application security. While developers implement pinning for valid security reasons, the ability to intercept and analyze encrypted traffic is indispensable for thoroughly assessing an application’s vulnerabilities and understanding its behavior. Tools like Frida and Objection provide powerful, dynamic means to achieve this, allowing security professionals to perform comprehensive audits and reverse engineering tasks on even the most hardened Android applications.