Android Certificate Pinning Bypass

Summary:-

This post shows the technique to bypass the certificate pining implemented by xyz android application.

Prerequisites:-

This technique has some prerequisites which should be fulfilled before you proceed for the certificate pinning bypass.

1. Android devices with Android version 5.0 and up
2. Device should be rooted.

Step to bypass:-

Step 1:
– Download and install xposed framework with the following command.
$ adb install xposed_v3.1.apk

na

Now you have xposed framework installed on your device.

Step 2:

– Download and install sslunpinning application with the following command.
$ adb install sslunpinning.apk

na

Now you have sslunpinning application installed on your device.

Step 3:

– Open the sslunpinning application and select the xyz application

na
Now Xyz application has been selected for certificate pinning.

Step 4:

– Open the Xposed application. Navigate to “module” and enable the SSLUnpinning module.

4

Now reboot the device to apply the changes.

Step 5:

– Integrate Android device with Burp Suite Proxy.
– Open the application fill up the login form and click on “Sign In” button.

5

– We can see that the request has been intercepted successfully though SSL pinning bypass.

6

Leave a Reply

Your email address will not be published. Required fields are marked *