Skip to main content

Bypass Certificate Pinning

Certificate pinning on iOS is typically implemented using the Apple API's. As such, there is one universal tool that can be used to disable this called SSL Kill Switch 2.

Check for Certificate Pinning

Install the target application on to a device:

  • Configure the device to use the intercept proxy (above)

  • If SSL Kill Switch 2 is already installed, ensure you disable it for this check

    • Settings app SSL Kill Switch 2 Toggle button to off
  • Launch the target app and try to interact with it

  • If you can see the traffic in Burp Suite, then Certificate Pinning is not enabled

  • If you see no traffic, and/or a bunch of "client failed to negotiate a TLS connection to..." messages in the Event Log (Dashboard tab), then Certificate Pinning is enabled

  • To bypass Certificate Pinning use SSL Kill Switch2 below

Bypass with SSL Kill Switch 2

Note: this can only be used on 'rootful' jailbreak environments!

Install SSL Kill Switch 2 (version 0.14 or higher) on the device, to disable certificate pinning.

a. Download the latest package from https://github.com/nabla-c0d3/ssl-kill-switch2/releases

b. Ensure that your device is jailbroken.

c. Install the com.nablac0d3.sslkillswitch2_0.14.deb file to the device.

cd /jbutils/files/debs/dpkg -i com.nablac0d3.sslkillswitch2_0.14.deb

d. Re-spring the device.

killall -HUP SpringBoard

e. Enable it in the Settings app (when you need it). (Note: You will only see SSL Kill Switch 2 entry in the Settings app when the device is jailbroken)


Bypass with Objection

Objection has built-in certificate pinning bypasses. Simply connect to the app through Objection and run the ios sslpinning disable command:

% objection -g 'App Name' explore
Using USB device `iPhone`
Agent injected and responds ok!
(object)inject(ion)

Runtime Mobile Exploration
by: @leonjza from @sensepost

com.company.appname on (iPhone: 14.0) [usb] > ios sslpinning disable

(agent) Registering job 63ybpzbiuue. Type: ios sslpinning disable

com.company.appname on (iPhone: 14.0) [usb] >

Once the job is running, check to see if the detections have been bypassed.


Bypass with Frida

There are plenty of certificate pinning bypass scripts available that could also be used (check out the Frida CodeShare site).

frida -U -l ios-certpinning-disable.js -f com.example.appname