Bypassing Certificate Pinning - CraigDonkin/Android-Testing GitHub Wiki

Good resource:

https://blog.netspi.com/four-ways-bypass-android-ssl-verification-certificate-pinning/

Adding a Custom CA to the User Certificate Store

• Android 6.0 or lower
• Add attacker CA to user-added CA store
• Edit application manifest and force it to target Android 6.0

Network Security Configuration

• Define specific trust anchors in the '/res/xml/network_security_config.xml' file of the APK

  <?xml version="1.0" encoding="utf-8"?> 
  <network-security-config> 
  <base-config> 
  <trust-anchors> 
  <certificates src="@raw/my_ca"/> 
  </trust-anchors> 
  </base-config> 
  </network-security-config>
  

• store the CA at /res/raw/my_ca

Overwrite Packaged CA with Custom CA

• extract the APK
• Overwrite the provided CA with Burp CA
  • Probably in /assets folder

Objection

Built in SSL pinning bypass:

android sslpinning disable

More Advanced Objection/Frida

• Using the disassembled code or Objection figure out what classes are performing certpinning

android hooking search classes certpinning

• Hook the function and watch what it is doing when it detects an invalid certificate
• Attempt to modify the return value for example from 1 to 0
• You could also patch out the functionality within the application for a permanent fix

Bypassing OKHTTP

https://blog.securityevaluators.com/bypassing-okhttp3-certificate-pinning-c68a872ca9c8