Bypassing SSL Pinning with Frida and Objection in Mobile Applications

What is SSL Pinning?

SSL pinning is the process of hardcoding or “pinning” the trusted server’s certificate or public key into the app, instead of relying only on Certificate Authorities (CAs) to validate SSL/TLS certificates. In this way the app makes sure it only connects to the designated servers and it significantly reduces the risk of man-in-the-middle attacks.

Without SSL pinning, anyone can intercept the traffic between your app and server, compromising data security and privacy.

How to bypass SSL pinning?

If we want to perform a dynamic security assessment of an app, we will not be able to intercept the traffic between the app and the server using any proxy tool if the app has SSL pinning enabled. The good news is: there are ways to bypass SSL pinning. In this article, we’ll use two tools for the purpose: Objection and Frida.

Frida:

Frida is a dynamic instrumentation toolkit for developers, reverse engineers and security researchers. Frida injects code into a running application and allows you to interact with it in real-time. The code is injected into the process memory of the application, so that it can be used to modify its behaviour without having to modify the source code.

You can get Frida from here:

Before installing Objection, you need to install Frida tools using the following command:

For mac systems, using pip3 sometimes throws an error relating to externally managed environment. In that case, the following command should work:

Objection:

Objection is a runtime mobile exploration toolkit powered by Frida. Objection helps in the security assessment of a mobile application without needing a jailbreak.

Follow this link to know what features are there in Objection.

You can get Objection from here:

Make sure you have installed frida-tools and use the following command to install Objection:

You can use the break-system-packages option if you face a problem with pip3 on Mac.

If you have an .apk file, you can use the following command to inject Frida into the file. Objection will decompile the apk, inject the Frida gadget and recompile it. Connect your mobile device/ start your emulator and run this command:

For ipa files, you need to use ‘patchipa’ instead of ‘patchapk’.

The recompiled file will be saved in the same location with a name: application_name.objection.apk.

(If you receive an error related to missing ‘aapt’, read this.)

Now you can install this patched application into your mobile device or emulator.

Note: Sometimes the patched application may give you errors during installation. In that case you have to manually decompile the app, inject Frida gadget and recompile it. Use the instructions in the following link to do it manually:

Once the patched app is installed in your device/emulator, try to open it and you’ll see a blank screen. Open terminal and use the following command, and your application will start normally.

To disable SSL pinning, use the following command:

Now you should be able to intercept the traffic from your app using proxy tools.

Check out the following link to know about more ways to bypass SSL pinning:

Thanks for reading! I hope this helped.