SSL Pinning Bypass Simplified

Ever wonder how secure your favorite apps really are? Well, imagine a secret conversation between your phone and the app’s server, all locked up tight like a futuristic vault. That’s what SSL pinning does — it encrypts communication to keep eavesdroppers out.

Here’s the funky part: for security researchers (the good guys!), this encryption can be a hurdle. They can’t listen in on the conversation to test the app’s defenses! That’s where SSL pinning bypass comes in, like a secret decoder ring for this digital vault.

Bypassing SSL pinning in a lab environment isn’t some Mission Impossible feat (although it might sound complex!). It’s all about understanding how things work and why. This article will be your guide, showing you step-by-step how to bypass pinning in your own lab using a tool called Frida.

We’ll assume you’ve already downloaded and installed some key components. We’ll focus on using them, not getting them set up (or else, it will take all day!).

My Lab Environment Setup:

Kali linux 2024Genymotion 3.6.0Google pixel 11.0 emulator installed on Genymotion.Burp suite for proxying the communication.Frida server the main pillar of this whole process.

Let's begin

Install Frida on kali machine using following command

python3 -m pip install frida-tools — — ignore — warning

Start Google pixel emulator in GenymotionConnect to the emulator with kali machine for bridged communication using adb

adb connect <android-device-ip>:5555

Edit burp suite proxy settings to listen on all input connectionsTo divert the captured requests to burp set up a proxy on android emulator

adb shell settings put global http_proxy <device-ip-of-burp-suite>:8080

Recognize the android device architecture to download appropriate Frida files (one time process)

adb shell getprop ro.product.cpu.abi

Based on the results we got from previous command find and download appropriate Frida server version from the following link (one time process)

httpsL//github.com/frida/frida/releases/

Unzip the downloaded Frida server file (one time process)

tar -xjf frida_file.xz

Now move Frida server file we downloaded recently to the ‘tmp’ folder of android device (one time process)

adb push frida-server /data/local/tmp/

Now change permissions of the Frida server file we moved to android device to executable

adb shell chmod 777 /data/local/tmp/frida-server

And now spin up the Frida server on android machine

adb shell /data/local/tmp/frida-server &

Download burp suite SSL certificate in ‘.crt’ format and make copy of it with ‘.der’ extension

cp certificate.crt certificate.der

Now we have two certificates with us, move ‘certificate.der’ to the tmp folder of the android device

adb push certificate.der /data/local/tmp/

Then install certificate.crt on android device using system settings of the emulatormake sure you install .crt on android device and move .der to the ‘tmp’ folder, make sure Frida server file & ‘certificate.der’ both are in same folder, because Frida server uses this certificate to route the traffic to burp suite.Visit the following link and copy whole java code and save it on your kali machine with extension .js, i am naming it as frida-script.js, this is our actual bypassing script.

https://codeshare.frida.re/@akabe1/frida-multiple-unpinning/

Alright crew, we’ve got the basics down. Now it’s time to unleash the funky power of Frida to bypass SSL pinning in our safe lab environment.

With our tools prepped, let’s crank up the action. Keep the app you want to test open on your emulator. capture the package name of application which we are targeting.

adb shell pm list

Note down complete name of the application, Look for an entry that starts with ‘com.name-of-your-app’Remember that bypass script we downloaded? Now’s its time to shine! We’ll use Frida to connect the script with your chosen app (The name we copied recently). This lets Frida and the script automatically figure out how the app encrypts its communication, and Frida will uplift this mechanism for us so we can intercept the communication in plain text.

frida -U -f com.ssl-pinning-bypass -l frida-script.js

Boooommm!!!! If you followed these steps carefully, you’ve just successfully bypassed SSL pinning in your lab environment using Frida. That’s a fresh accomplishment!

But remember, this power is for good! We used it to test the app’s security in a safe space, not to eavesdrop in the real world. Ethical hackers use these techniques to help developers make their apps even stronger.