Android Certificate Pinning Bypass


This post shows the technique to bypass the certificate pining implemented by xyz android application.


This technique has some prerequisites which should be fulfilled before you proceed for the certificate pinning bypass.

1. Android devices with Android version 5.0 and up
2. Device should be rooted.

Step to bypass:-

Step 1:
– Download and install xposed framework with the following command.
$ adb install xposed_v3.1.apk

Now you have xposed framework installed on your device.

Step 2:

– Download and install sslunpinning application with the following command.
$ adb install sslunpinning.apk

Now you have sslunpinning application installed on your device.

Step 3:

– Open the sslunpinning application and select the xyz application

Step 4:

– Open the Xposed application. Navigate to “module” and enable the SSLUnpinning module.

Now reboot the device to apply the changes.

Step 5:

– Integrate Android device with Burp Suite Proxy.
– Open the application fill up the login form and click on “Sign In” button.

– We can see that the request has been intercepted successfully though SSL pinning bypass.