Android Certificate Pinning Bypass
This post shows the technique to bypass the certificate pining implemented by xyz android application.
This technique has some prerequisites which should be fulfilled before you proceed for the certificate pinning bypass.
1. Android devices with Android version 5.0 and up
2. Device should be rooted.
Step to bypass:-
– Download and install xposed framework with the following command.
$ adb install xposed_v3.1.apk
Now you have xposed framework installed on your device.
– Download and install sslunpinning application with the following command.
$ adb install sslunpinning.apk
Now you have sslunpinning application installed on your device.
– Open the sslunpinning application and select the xyz application
Now Xyz application has been selected for certificate pinning.
– Open the Xposed application. Navigate to “module” and enable the SSLUnpinning module.
Now reboot the device to apply the changes.
– Integrate Android device with Burp Suite Proxy.
– Open the application fill up the login form and click on “Sign In” button.
– We can see that the request has been intercepted successfully though SSL pinning bypass.