Bypass Certificate Pinning

Certificate pinning on Android is typically implemented using Android APIs. These can be easily bypassed using Objection, Frida scripts or MagiskHide if that was used for rooting.

Check for Certificate Pinning

Install the application on to a device:

Configure the device to use the intercept proxy
Launch the target app and try to interact with it
If you can see the traffic in Burp Suite, then Certificate Pinning is not enabled
If you see no traffic, and/or a bunch of "client failed to negotiate a TLS connection to..." messages in the Event Log (Dashboard tab), then Certificate Pinning is enabled
To bypass Certificate Pinning use Objection or Frida

Bypass with Objection

Objection has built-in certificate pinning bypass. After connecting to the app and run the android sslpinning disable command.

objection -g 'App Name' explore
Using USB device `iPhone`
Agent injected and responds ok!

     _   _         _   _
 ___| |_|_|___ ___| |_|_|___ ___
| . | . | | -_|  _|  _| | . |   |
|___|___| |___|___|_| |_|___|_|_|
      |___|(object)inject(ion) v1.9.6

     Runtime Mobile Exploration
        by: @leonjza from @sensepost

[tab] for command suggestions
com.company.appname on (pixel: 11.0) [usb] ## android sslpinning disable
(Job) Registering job 63ybpzbiuue. Type: Starting
com.company.appname on (pixel: 11.0) [usb] #

Once the job is running, check to see if the detections have been bypassed. Output will be displayed on the screen as the app runs.

Check for Certificate Pinning​

Bypass with Objection​

Check for Certificate Pinning

Bypass with Objection