Android Software Reverse Engineering & Decompilation

Crafting Custom Frida Hooks: Bypassing Advanced Android SSL Pinning Implementations

By Antigravity Research Published May 29, 2026 ⏱️ 8 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction

SSL Pinning is a critical security mechanism implemented in mobile applications to prevent man-in-the-middle (MiTM) attacks. While effective, it poses a significant challenge for security researchers, penetration testers, and reverse engineers attempting to analyze network traffic of Android applications. Generic Frida SSL pinning bypass scripts often fail against applications employing custom or advanced pinning logic. This article delves into the art of crafting custom Frida hooks to successfully bypass even the most sophisticated Android SSL pinning implementations.

We will explore methodologies for identifying custom pinning logic through static and dynamic analysis, and then construct targeted Frida scripts to disable or circumvent these checks, enabling the interception of encrypted traffic.

Understanding Advanced SSL Pinning Mechanisms

Before bypassing, it’s crucial to understand how modern Android apps implement SSL pinning. Beyond the standard TrustManager, applications often use:

  • Custom X509TrustManager Implementations: Developers can extend or replace the default `X509TrustManager` to perform their own certificate validation logic.
  • Public Key Pinning: Pinning to the public key of the certificate instead of the entire certificate. This is more robust as it survives certificate renewals as long as the public key remains the same.
  • Hostname Verification: Implementing custom `HostnameVerifier` logic to ensure the server’s hostname matches expectations.
  • Network Security Configuration (NSC): Introduced in Android 7.0 (API level 24), NSC allows developers to declare network security policies in an XML file, including pinning certificates.
  • Third-party Libraries: Libraries like OkHttp, Volley, or custom networking stacks often have their own pinning mechanisms that need to be addressed specifically.

Setting Up Your Environment

To follow along, ensure you have:

  • A rooted Android device or emulator with Frida-server running.
  • Frida-tools installed on your host machine.
  • ADB configured for communication with the device.
  • A proxy tool like Burp Suite or OWASP ZAP configured for intercepting traffic.

Start the Frida server on your device:

adb shell su -c /data/local/tmp/frida-server

Verify Frida connectivity:

frida-ps -U

Identifying Custom Pinning Logic (The Hard Part)

Static Analysis with Decompilers (Jadx/Ghidra)

The first step is to decompile the target APK. Tools like Jadx or Ghidra are invaluable here.

  1. Decompile the APK: 
    jadx -d output_dir your_app.apk
  2. Search for Keywords: Look for classes and methods related to SSL/TLS and trust management. Common keywords include:
    • `X509TrustManager`
    • `checkServerTrusted`
    • `HostnameVerifier`
    • `verify` (when used with `HostnameVerifier`)
    • `SSLSocketFactory`
    • `CertificateFactory`
    • `KeyStore`
    • `pinning`
    • `certificate`
    • Base64 encoded strings (often used for embedded certificates or public keys)
    • Network Security Configuration XML (`network_security_config.xml`)
  3. Analyze Call Graphs: Once potential pinning methods are identified, analyze their call graphs to understand how they are invoked and what conditions lead to their execution. Pay attention to custom classes implementing `TrustManager` or `HostnameVerifier` interfaces.

Dynamic Analysis with Frida Tracing

When static analysis isn’t enough, dynamic tracing with Frida can reveal the pinning logic at runtime. We can hook common SSL/TLS methods and observe the stack trace to pinpoint custom implementations.

A generic trace script to identify `checkServerTrusted` calls:

Java.perform(function() {    var TrustManager = Java.use('javax.net.ssl.X509TrustManager');    TrustManager.checkServerTrusted.overload('[Ljava.security.cert.X509Certificate;', 'java.lang.String').implementation = function() {        console.log('[+] checkServerTrusted called from:');        var exception = Java.use('java.lang.Exception').$new();        var stackTrace = exception.getStackTrace();        for (var i = 0; i < stackTrace.length; i++) {            console.log('    ' + stackTrace[i].toString());        }        this.checkServerTrusted.apply(this, arguments);    };});

Run this script and interact with the app. The console output will show where `checkServerTrusted` is being called from, often revealing custom trust managers.

Crafting Custom Frida Hooks for Specific Scenarios

Once you’ve identified the custom pinning logic, you can write targeted Frida scripts.

Scenario 1: Overriding Custom `X509TrustManager`

Many apps implement their own `X509TrustManager` class (e.g., `com.example.app.CustomTrustManager`). Your goal is to find this class and override its `checkServerTrusted` method to do nothing, effectively trusting all certificates.

Java.perform(function() {    var CustomTrustManager = null;    try {        // Try to find the custom TrustManager by name        CustomTrustManager = Java.use('com.example.app.CustomTrustManager');    } catch (e) {        // Fallback: If the exact class name isn't known, try to hook all X509TrustManager instances        console.log('CustomTrustManager not found by direct name. Trying generic hook...');        var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');        X509TrustManager.checkServerTrusted.overload('[Ljava.security.cert.X509Certificate;', 'java.lang.String').implementation = function() {            console.log('[+] Bypassing checkServerTrusted on generic X509TrustManager!');            // Do nothing, effectively trusting the server certificate        };        X509TrustManager.checkClientTrusted.overload('[Ljava.security.cert.X509Certificate;', 'java.lang.String').implementation = function() {            console.log('[+] Bypassing checkClientTrusted on generic X509TrustManager!');            // Do nothing        };        X509TrustManager.getAcceptedIssuers.implementation = function() {            console.log('[+] Bypassing getAcceptedIssuers on generic X509TrustManager!');            return this.getAcceptedIssuers(); // Return original accepted issuers        };        return; // Exit as generic hook is applied    }    if (CustomTrustManager) {        console.log('[+] Found custom TrustManager: ' + CustomTrustManager.$className);        CustomTrustManager.checkServerTrusted.overload('[Ljava.security.cert.X509Certificate;', 'java.lang.String').implementation = function(chain, authType) {            console.log('[+] Custom TrustManager checkServerTrusted bypassed!');            // Call the original method to avoid breaking the app logic, but it won't actually fail            // Alternatively, just return, if app crashes            // this.checkServerTrusted(chain, authType);        };        // Repeat for checkClientTrusted and getAcceptedIssuers if needed        CustomTrustManager.checkClientTrusted.overload('[Ljava.security.cert.X509Certificate;', 'java.lang.String').implementation = function(chain, authType) {            console.log('[+] Custom TrustManager checkClientTrusted bypassed!');        };        CustomTrustManager.getAcceptedIssuers.implementation = function() {            console.log('[+] Custom TrustManager getAcceptedIssuers bypassed!');            return []; // Or return the original value: this.getAcceptedIssuers();        };    } else {        console.log('[-] Failed to find custom TrustManager.');    }});

Scenario 2: Bypassing `HostnameVerifier`

Some applications add an extra layer of security by verifying the hostname. You can override the `verify` method of `javax.net.ssl.HostnameVerifier` to always return true.

Java.perform(function() {    var HostnameVerifier = Java.use('javax.net.ssl.HostnameVerifier');    HostnameVerifier.verify.implementation = function(hostname, session) {        console.log('[+] Bypassing HostnameVerifier for hostname: ' + hostname);        return true; // Always return true, trusting any hostname    };    console.log('[+] HostnameVerifier bypass loaded.');});

Scenario 3: Disabling OkHttp Pinning

OkHttp is widely used. It has its own `CertificatePinner` class. We can hook its `check` method to prevent it from enforcing pinning.

Java.perform(function() {    try {        var CertificatePinner = Java.use('okhttp3.CertificatePinner');        console.log('[+] Found okhttp3.CertificatePinner.');        CertificatePinner.check.overload('java.lang.String', 'java.util.List').implementation = function(hostname, certificates) {            console.log('[+] Bypassing OkHttp CertificatePinner for hostname: ' + hostname);            // Do nothing, effectively disabling pinning for this check            // this.check(hostname, certificates); // Uncomment to call original, but it will fail if pinned        };        console.log('[+] OkHttp CertificatePinner bypass loaded.');    } catch (e) {        console.log('[-] okhttp3.CertificatePinner not found: ' + e.message);    }});

Scenario 4: Bypassing TrustManager using `android.net.http.X509TrustManagerExtensions`

On some Android versions (pre-API 24, or for specific cases), `X509TrustManagerExtensions` might be used.

Java.perform(function() {    try {        var X509TMEx = Java.use('android.net.http.X509TrustManagerExtensions');        console.log('[+] Found android.net.http.X509TrustManagerExtensions.');        X509TMEx.checkServerTrusted.overload('[Ljava.security.cert.X509Certificate;', 'java.lang.String', 'java.lang.String').implementation = function(chain, authType, host) {            console.log('[+] Bypassing X509TrustManagerExtensions.checkServerTrusted for host: ' + host);            // Do nothing, bypass pinning            // this.checkServerTrusted(chain, authType, host);        };        console.log('[+] X509TrustManagerExtensions bypass loaded.');    } catch (e) {        console.log('[-] android.net.http.X509TrustManagerExtensions not found: ' + e.message);    }});

Deploying and Testing Your Custom Hooks

Once your custom Frida script (`bypass.js`) is ready, deploy it:

  1. Push your script to the device (optional but good practice): 
    adb push bypass.js /data/local/tmp/
  2. Run Frida with your script: 
    frida -U -l /data/local/tmp/bypass.js -f com.example.app --no-pause

    Replace `/data/local/tmp/bypass.js` with your script’s path and `com.example.app` with the target application’s package name. The `–no-pause` flag ensures the application starts immediately without waiting for user input.

  3. Verify the Bypass: With your proxy (Burp Suite, OWASP ZAP) running and configured on your device, interact with the application. If the bypass is successful, you should now be able to intercept and inspect the HTTPS traffic. Look for the `[+]` messages in your Frida console, indicating your hooks are active.

Conclusion

Bypassing advanced SSL pinning implementations requires a systematic approach, combining static analysis to pinpoint custom logic and dynamic instrumentation with Frida to target those specific checks. Generic bypass scripts are often insufficient, necessitating the development of custom hooks tailored to the application’s unique security mechanisms. By mastering these techniques, reverse engineers and security professionals can gain deeper insights into application behavior and uncover potential vulnerabilities.

Remember to use these techniques ethically and only on applications you are authorized to test.

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Security #Frida #Mobile Hacking #Reverse Engineering #SSL Pinning Bypass

Related Technical Guides

Deep Dive: Understanding and Circumventing Native (JNI) Root Checks in Android Apps

May 30, 2026

Reverse Engineering Lab: Mapping Custom Android SoC Peripherals with Ghidra Sleigh

May 29, 2026

Building Custom Frida Gadgets: Injecting & Controlling Android Apps Remotely

May 30, 2026