Certificate Pinning Bypass (Android)

Bypassing certificate pinning using three different methods: Frida, Xposed Framework with JustTrustMe, and Modifying APK.

PreviousCertificate Pinning NextRoot a Android Device

Last updated 5 months ago

Was this helpful?

Certificate Pinning Bypass (Android)

Bypassing certificate pinning using three different methods: Frida, Xposed Framework with JustTrustMe, and Modifying APK.

Method 1: Using Frida

Frida is a powerful tool for dynamic instrumentation, allowing you to hook into an app's runtime and modify its behavior.

Steps to Implement Certificate Pinning Bypass with Frida:

Set Up Your Environment:

Install Frida on your testing device and your computer.

On your computer:
bash
```
pip install frida-tools
```

On your Android device:

bash

adb push frida-server /data/local/tmp/
adb shell "chmod 755 /data/local/tmp/frida-server"
adb shell "/data/local/tmp/frida-server &"

Create a Bypass Script:

Write a Frida script to bypass SSL pinning. Save the script as bypass_script.js.

// Frida script to bypass SSL pinning
Java.perform(function () {
    var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
    var SSLContext = Java.use('javax.net.ssl.SSLContext');

    // Custom TrustManager that does not validate certificates
    var TrustManager = Java.registerClass({
        name: 'com.example.TrustManager',
        implements: [X509TrustManager],
        methods: {
            checkClientTrusted: function (chain, authType) {},
            checkServerTrusted: function (chain, authType) {},
            getAcceptedIssuers: function () { return []; }
        }
    });

    // Hook SSLContext to use our custom TrustManager
    SSLContext.init.overload(
        '[Ljavax.net.ssl.KeyManager;',
        '[Ljavax.net.ssl.TrustManager;',
        'java.security.SecureRandom'
    ).implementation = function (keyManager, trustManager, secureRandom) {
        var customTrustManager = [TrustManager.$new()];
        this.init(keyManager, customTrustManager, secureRandom);
    };
});

Run the Script:

Use Frida to run the script on your Android device. Ensure your device is connected and Frida server is running:
```
frida -U -f com.yourapp.package -l bypass_script.js --no-pause
```

Test the App:

Interact with the app and monitor network traffic using tools like Burp Suite to ensure the certificate pinning is bypassed.

Method 2: Using Xposed Framework and JustTrustMe

Prerequisites

Rooted Android Device: Ensure your device is rooted to install the Xposed Framework.
Xposed Framework Installed: The Xposed Framework should be installed on your rooted device.

Steps:

Root Your Android Device:
Install Xposed Framework:
- Install the Xposed Installer APK on your device.
- Open the Xposed Installer and install the framework by selecting "Framework" and then "Install/Update."
- Reboot your device to apply the changes.
Install JustTrustMe Module:
- Open the Xposed Installer app.
- Go to the "Downloads" section and search for the "JustTrustMe" module.
- Download and install the JustTrustMe module.
- After installation, go to the "Modules" section in the Xposed Installer and check the box next to JustTrustMe to activate it.
Reboot Your Device:
- Reboot your device to apply the changes and ensure the module is active.
Test the App:
- Open your app and perform actions that require network communication.
- With JustTrustMe activated, the app should bypass certificate pinning, allowing Burp Suite to intercept and analyze the traffic.
Monitor Network Traffic:
- Use Burp Suite to monitor and analyze the intercepted traffic. You should now be able to see and manipulate the encrypted data that the app sends and receives.

Method 3: Modifying APK

Prerequisites

APKTool installed on your computer.
Java Development Kit (JDK) installed.
Android Debug Bridge (ADB) installed and set up.
Rooted Android Device (optional for some steps).

Steps:

Set Up Your Environment:
- Ensure you have APKTool, JDK, and ADB installed.
- Set up the environment variables for JDK and ADB for easy access.
Decompile the APK:
- Use APKTool to decompile the APK. This will convert the APK into a set of readable files and folders.
  apktool d yourapp.apk -o yourapp
- The yourapp directory will contain the decompiled files.
Locate Certificate Pinning Logic:
- Navigate through the decompiled files to find the network-related code. This is usually located in classes related to SSL/TLS connections.
- Use a text editor or IDE to search for keywords like TrustManager, HostnameVerifier, checkServerTrusted, or SSLContext.

Modify the Code:

Modify the pinning logic to bypass the certificate checks. You can either comment out the pinning logic or modify it to accept all certificates. Example:

// Original pinning logic
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
    // Validate the server certificate
}

// Modified pinning logic
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
    // Accept all certificates
}

Ensure all necessary changes are made to bypass the pinning.

Recompile the APK:
- Use APKTool to recompile the modified APK.
  apktool b yourapp -o yourapp-modified.apk
- The recompiled APK (yourapp-modified.apk) will be generated in the specified output directory.
Sign the APK:
- The recompiled APK needs to be signed before it can be installed on your device. Use the JDK's jarsigner tool to sign the APK with a debug certificate.
  jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore ~/.android/debug.keystore yourapp-modified.apk androiddebugkey
- When prompted, use the default keystore password (android).
Install the Modified APK:
- Use ADB to install the modified APK on your Android device.
  bash
  adb install yourapp-modified.apk
- If the app is already installed, you may need to uninstall the existing version first:
  bash
  adb uninstall com.yourapp.package adb install yourapp-modified.apk
Test the App:
- Open the modified app on your Android device and perform actions that require network communication.
- Use tools like Burp Suite to intercept and analyze the traffic. The certificate pinning should be bypassed, allowing you to intercept the SSL/TLS traffic.

PreviousCertificate Pinning NextRoot a Android Device

Last updated 5 months ago

Was this helpful?

Method 1: Using Frida

Frida is a powerful tool for dynamic instrumentation, allowing you to hook into an app's runtime and modify its behavior.

Steps to Implement Certificate Pinning Bypass with Frida:

Set Up Your Environment:

Install Frida on your testing device and your computer.

On your computer:
bash
```
pip install frida-tools
```

On your Android device:

bash

adb push frida-server /data/local/tmp/
adb shell "chmod 755 /data/local/tmp/frida-server"
adb shell "/data/local/tmp/frida-server &"

Create a Bypass Script:

Write a Frida script to bypass SSL pinning. Save the script as bypass_script.js.

// Frida script to bypass SSL pinning
Java.perform(function () {
    var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
    var SSLContext = Java.use('javax.net.ssl.SSLContext');

    // Custom TrustManager that does not validate certificates
    var TrustManager = Java.registerClass({
        name: 'com.example.TrustManager',
        implements: [X509TrustManager],
        methods: {
            checkClientTrusted: function (chain, authType) {},
            checkServerTrusted: function (chain, authType) {},
            getAcceptedIssuers: function () { return []; }
        }
    });

    // Hook SSLContext to use our custom TrustManager
    SSLContext.init.overload(
        '[Ljavax.net.ssl.KeyManager;',
        '[Ljavax.net.ssl.TrustManager;',
        'java.security.SecureRandom'
    ).implementation = function (keyManager, trustManager, secureRandom) {
        var customTrustManager = [TrustManager.$new()];
        this.init(keyManager, customTrustManager, secureRandom);
    };
});

Run the Script:

Use Frida to run the script on your Android device. Ensure your device is connected and Frida server is running:
```
frida -U -f com.yourapp.package -l bypass_script.js --no-pause
```

Test the App:

Interact with the app and monitor network traffic using tools like Burp Suite to ensure the certificate pinning is bypassed.

Method 2: Using Xposed Framework and JustTrustMe

Prerequisites

Rooted Android Device: Ensure your device is rooted to install the Xposed Framework.
Xposed Framework Installed: The Xposed Framework should be installed on your rooted device.

Steps:

Root Your Android Device:
- Ensure your Android device is rooted. You can find specific guides for rooting your device based on its model and Android version. Popular tools for rooting include and .
- Follow the for details
Install Xposed Framework:
- Download the Xposed Installer APK from the .
- Install the Xposed Installer APK on your device.
- Open the Xposed Installer and install the framework by selecting "Framework" and then "Install/Update."
- Reboot your device to apply the changes.
Install JustTrustMe Module:
- Open the Xposed Installer app.
- Go to the "Downloads" section and search for the "JustTrustMe" module.
- Download and install the JustTrustMe module.
- After installation, go to the "Modules" section in the Xposed Installer and check the box next to JustTrustMe to activate it.
Reboot Your Device:
- Reboot your device to apply the changes and ensure the module is active.
Test the App:
- Open your app and perform actions that require network communication.
- With JustTrustMe activated, the app should bypass certificate pinning, allowing Burp Suite to intercept and analyze the traffic.
Monitor Network Traffic:
- Use Burp Suite to monitor and analyze the intercepted traffic. You should now be able to see and manipulate the encrypted data that the app sends and receives.

Method 3: Modifying APK

Prerequisites

APKTool installed on your computer.
Java Development Kit (JDK) installed.
Android Debug Bridge (ADB) installed and set up.
Rooted Android Device (optional for some steps).

Steps:

Set Up Your Environment:
- Ensure you have APKTool, JDK, and ADB installed.
- Set up the environment variables for JDK and ADB for easy access.
Decompile the APK:
- Use APKTool to decompile the APK. This will convert the APK into a set of readable files and folders.
  apktool d yourapp.apk -o yourapp
- The yourapp directory will contain the decompiled files.
Locate Certificate Pinning Logic:
- Navigate through the decompiled files to find the network-related code. This is usually located in classes related to SSL/TLS connections.
- Use a text editor or IDE to search for keywords like TrustManager, HostnameVerifier, checkServerTrusted, or SSLContext.

Modify the Code:

Modify the pinning logic to bypass the certificate checks. You can either comment out the pinning logic or modify it to accept all certificates. Example:

// Original pinning logic
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
    // Validate the server certificate
}

// Modified pinning logic
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
    // Accept all certificates
}

Ensure all necessary changes are made to bypass the pinning.

Recompile the APK:
- Use APKTool to recompile the modified APK.
  apktool b yourapp -o yourapp-modified.apk
- The recompiled APK (yourapp-modified.apk) will be generated in the specified output directory.
Sign the APK:
- The recompiled APK needs to be signed before it can be installed on your device. Use the JDK's jarsigner tool to sign the APK with a debug certificate.
  jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore ~/.android/debug.keystore yourapp-modified.apk androiddebugkey
- When prompted, use the default keystore password (android).
Install the Modified APK:
- Use ADB to install the modified APK on your Android device.
  bash
  adb install yourapp-modified.apk
- If the app is already installed, you may need to uninstall the existing version first:
  bash
  adb uninstall com.yourapp.package adb install yourapp-modified.apk
Test the App:
- Open the modified app on your Android device and perform actions that require network communication.
- Use tools like Burp Suite to intercept and analyze the traffic. The certificate pinning should be bypassed, allowing you to intercept the SSL/TLS traffic.