Summary:-

This post shows the technique to bypass the certificate pinning implemented by the xyz android application.

Prerequisites:-

This technique has some prerequisites that should be fulfilled before you proceed with the certificate pinning bypass.

1. Android devices with Android version 5.0 and up
2. Device should be rooted.

Step to bypass:-

Step 1:
– Download and install the xposed framework with the following command.
$ adb install xposed_v3.1.apk

Now you have the Xposed framework installed on your device.

Step 2:

– Download and install sslunpinning application with the following command.
$ adb install sslunpinning.apk

Now you have sslunpinning application installed on your device.

Step 3:

– Open the sslunpinning application and select the XYZ application

Step 4:

– Open the Xposed application. Navigate to “module” and enable the SSLUnpinning module.

Now reboot the device to apply the changes.

Step 5:

– Integrate Android devices with Burp Suite Proxy.
– Open the application fill up the login form and click on the “Sign In” button.

– We can see that the request has been intercepted successfully through an SSL pinning bypass.