> For the complete documentation index, see [llms.txt](https://redteam.coffee/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://redteam.coffee/woot/mitm-ssl-pinning-protection-bypass-for-android-applications.md). # MITM/SSL pinning protection bypass for android applications ### Xposed framework modules ![Xposed Framework](/files/-Lo-jYdUGnN_FfwUGXfQ) There are multiple [***Xposed***](https://www.xda-developers.com/xposed-framework-hub/) modules available to get this work done.These modules leverages techniques such as hiding root process, APK, fuction hooking, etc to bypass such protections. Below are the links to few of these modules which has helped me in the past. | **Name** | Link | | -------------------- | ---------------------------------------------- | | JustTrustMe | | | SSLUnpinning\_Xposed | | | TrustMeAlready | | ### Frida [***Frida***](https://www.frida.re) is a dynamic instrumentation framework which can be used to inject javscript snippets or library into native apps.There are multiple frida scripts available for bypassing ssl pinning. I am listing few of them below. It works for me most of time. | Name | Link | | -------------------------------------- | ----------------------------------------------------------------------------------------- | | root-ssl-pin-bypass.js | | | Universal Android SSL Pinning Bypass | | | Universal Android SSL Pinning Bypass 2 | | ### Objection [***Objection***](https://github.com/sensepost/objection) is a frida powered framework used for runtime mobile exploration.This can also be used to automate the SSL pinning bypass procedure. ![Source:https://github.com/sensepost/objection](/files/-Lo5RTqcsnaO-gHs8eu2) ### Overwrite certificates Sometimes certificates are stored inside application folder which can be replaced with custom certificates. This will require you to decompile the application and locate any certificates inside the application folders. Replace the cert or put Burp's certificate inside the folder and recompile the application. For signing the application you can use [***sign.jar***](https://github.com/appium/sign) and then install the application to inspect traffic using burp. ![Certificate inside assets folder](/files/-Lo-zWo6rFdf9-WefKzb) ### Network security config.xml network config file `/res/xml/network_security_config.xml` can be modified to intercept the application traffic. Read more about [***network security config***](https://developer.android.com/training/articles/security-config) ![Network\_security\_config.xml](/files/-Lo17s-EGd9k1OpGAQaA) Replace the XML file with code below and recompile the application to intercept traffic. {% code title="network\_security\_config.xml" %} ```markup

``` {% endcode %} ### Keystore manipulation It is possible to manipulate BKS file which contains CA for SSL pinning. Most of the time it is stored inside the `/res/raw` folder. These BKS files are generally accessible without any password or the password can be found hardcoded inside the application. In a similar situation one can edit the BKS file to put a custom certificate to intercept the traffic. In below example, I decompiled the application using apktool and went to `/res/raw` folder and found a BKS file, the password for which was hardcoded. ![BKS file password](/files/-LoPBs2DS9NhBi1IcuC6) ![Certificate inside BKS](/files/-Lo0GtMOKFlEos8N6fLw) I added burp's CA to the BKS store and could bypass the MITM restriction. ### Patching Application code It is generally possible to reverse the certificate pinning code to bypass the restriction. It will require understanding of the code and the process may differ most of time. Below are few of the examples where people have reversed the application code to bypass MITM restriction. | Name | Link | | ----------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | SSLPinningExample | | | OKhttp3 | | | pokemon go |

| | FBUnpinner | | --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://redteam.coffee/woot/mitm-ssl-pinning-protection-bypass-for-android-applications.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.