MITM/SSL pinning protection bypass for android applications
This post lists down a few of the MITM/SSL pinning protection bypass techniques which I found useful during my android application security assessments.
Last updated
Was this helpful?
This post lists down a few of the MITM/SSL pinning protection bypass techniques which I found useful during my android application security assessments.
Last updated
Was this helpful?
There are multiple modules available to get this work done.These modules leverages techniques such as hiding root process, APK, fuction hooking, etc to bypass such protections. Below are the links to few of these modules which has helped me in the past.
Name
Link
JustTrustMe
SSLUnpinning_Xposed
TrustMeAlready
Name
Link
root-ssl-pin-bypass.js
Universal Android SSL Pinning Bypass
Universal Android SSL Pinning Bypass 2
network config file /res/xml/network_security_config.xml can be modified to intercept the application traffic.
Replace the XML file with code below and recompile the application to intercept traffic.
It is possible to manipulate BKS file which contains CA for SSL pinning. Most of the time it is stored inside the /res/raw folder. These BKS files are generally accessible without any password or the password can be found hardcoded inside the application. In a similar situation one can edit the BKS file to put a custom certificate to intercept the traffic.
In below example, I decompiled the application using apktool and went to /res/raw folder and found a BKS file, the password for which was hardcoded.
I added burp's CA to the BKS store and could bypass the MITM restriction.
It is generally possible to reverse the certificate pinning code to bypass the restriction. It will require understanding of the code and the process may differ most of time.
Below are few of the examples where people have reversed the application code to bypass MITM restriction.
Name
Link
SSLPinningExample
OKhttp3
pokemon go
FBUnpinner
is a dynamic instrumentation framework which can be used to inject javscript snippets or library into native apps.There are multiple frida scripts available for bypassing ssl pinning. I am listing few of them below. It works for me most of time.
is a frida powered framework used for runtime mobile exploration.This can also be used to automate the SSL pinning bypass procedure.
Sometimes certificates are stored inside application folder which can be replaced with custom certificates. This will require you to decompile the application and locate any certificates inside the application folders. Replace the cert or put Burp's certificate inside the folder and recompile the application. For signing the application you can use and then install the application to inspect traffic using burp.
Read more about
