MobileApril 20, 2022SSL Pinning Bypass For Android Using Frida

What is SSL pinning? 

Mobile apps commonly use SSL to safeguard transmitted data from eavesdropping and tampering while communicating with a server. SSL implementations in apps trust a server that has a certificate-which in turn is trusted by the operating system’s trust store (by default). The operating system includes a list of certificate authorities in this storage.  

The developer configures SSL pinning to refuse all except one or a few predetermined certificates. The program validates the server certificate with the pinned certificate whenever it connects to a server(s). The SSL connection is made if and only if the server certificate & the pinned certificate match. 

Why do we need SSL pinning? 

A system library is normally in charge of setting up and managing SSL sessions. This implies that the programmer attempting to establish a connection has no way of knowing which certificates to trust. The programmer is completely reliant on the certificates in the operating system’s trust store. 

Attackers can set up a man-in-the-middle attack against any program that uses SSL by creating a self-signed certificate and storing it in the operating system’s trust store. They’d be able to read and manipulate every SSL session as a result of this. Adversaries could use this ability to reverse engineer the app’s protocol or extract API keys from the queries. 

By fooling the end-user into installing a trusted CA through a rogue web page, attackers can also compromise SSL sessions. Alternatively, the device’s trusted root CAs can be compromised and then utilized to produce certificates.  

The use of SSL pinning effectively protects apps from the aforementioned attacks by narrowing down the set of trustworthy certificates. It also prevents reverse engineers from installing a custom root CA to their own device’s store in order to examine the application’s functioning and communication with the server. 

SSL Pinning Bypass for Android with Frida

SSL pinning works by keeping additional information within the app to identify the server and is mainly used to prevent man-in-the-middle attacks. 

What to Pin? 

Either the real server certificate or the server’s public key is pinned. We have the option of storing the exact data or a hash of it. A file hash of the certificate file or a hash of the public key string might be used. for more information refer to this blog (Published by OWASP). 

We are going to use Frida for SSL pinning bypass. 

What is Frida?

Excerpt from the Frida website: 

It’s Greasemonkey for native apps, or, put in more technical terms, it’s a dynamic code instrumentation toolkit. It lets you inject snippets of JavaScript or your own library into native apps on Windows, macOS, GNU/Linux, iOS, Android, and QNX. Frida also provides you with some simple tools built on top of the Frida API.

Because organizations are more concerned about data privacy as well as secure data transfer over the network from threats like Man-in-the-Middle (MiTM) attacks, SSL pinning bypass is a major step that needs to be done before we even start the dynamic analysis of HTTP requests for most mobile applications nowadays. 

Frida is a framework that injects scripts into native apps to modify the logic of the app in real-time, making it a more dynamic approach to mobile app pen testing. 

What do we need?
1) Rooted Device or Emulator

We’ll need a rooted device or emulator because we’ll be injecting a script into the device’s root directory. For demonstration, we’ll be utilizing genymotion. Genymotion is simple to set up and use, and can be downloaded here.

After we’ve installed Genymotion, we’ll need to set up an Android device. I’ll be using a Google pixel XL device with the settings below.

2) Platform-tools

Platform-tools for Windows can be downloaded from the following link:

Excerpt from the official documentation:

Android SDK Platform-Tools is a component for the Android SDK. It includes tools that interface with the Android platform, primarily adb and fastboot. Although adb is required for Android app development, app developers will normally just use the copy Studio installs. This download is useful if you want to use adb directly from the command-line and don’t have Studio installed. (If you do have Studio installed, you might want to just use the copy it installed because Studio will automatically update it.) fastboot is needed if you want to unlock your device bootloader and flash it with a new system image.

3) Frida Packages for Python

For Frida server, we’ll need to install a few python packages. In a terminal, type the following command: 

$ pip install Frida 
$ pip install objection 
$ pip install frida-tools 

— or

$ python -m pip install Frida 
$ python -m pip install objection 
$ python -m pip install frida-tools 
4) Injection Script (fridascript.js)

To inject it into the target application, we’ll need to download the injection script from the link below and push it into the device. 

1) Connect device to adb 

adbstands for Android Debug Bridge. It’s an official Android tool for controlling and remotely debugging Android devices. 

To perform instructions on our device, we must connect it to adb. To perform this, go to Settings >> Developer optionsand turn on debugging mode on the device so that adb can communicate with it. 

Go to the platform tools folder and enter the following command to connect the device to adb:

//adb connect <ip of device:port> 
$ adb connect 

We can run the following command to see if our device is connected to adb:

$ adb devices 

2) Download Frida Server

The Frida server package for our Android device must be downloaded according to the architecture version of our device. We can run the command below to find out the architecture of our device:

$ adb shell getprop ro.product.cpu.abi 

In our case, the device architecture is x86.

3) Pushing the Proxy’s Certificate

Name the certificate cer.cerand install it on the device in the same location as the frida-server.

// adb push <path to cer.cer> /data/local/tmp/cert-der.crt 
$ adb push cer.cer /data/local/tmp/cert-der.crt 
4) Frida Server Setup 

Before injecting our script, we must first run the Frida server on the device. Upload the Frida server binary file to the device. Copy the frida-server-12.4.7-android-x86file to the adb folder and rename it to frida-server.Run the following command: 

//adb push <path_of_frida_server_folder><space></data/local/tmp> 
$ adb push "D:\Android Testing\platform-tools\frida-server" /data/local/tmp 

Next, we’ll give the following permission to the frida-server binary:

$ adb shell chmod 777 /data/local/tmp/frida-server 
5) Injecting Script to Bypass SSL Pinning 

Step 1) Push thefridascript.js” script into device

We are using the fridascript.jsscript to disable pinning on the target application. To push the fridascript.jsscript onto the device, copy it to the adb folder and run the following command:

//adb push <path_to_fridascript.js_folder> /data/local/tmp 
$ adb push "D:\Android Testing\platform-tools\fridascript.js" /data/local/tmp 

Step 2) Run the following command on the device: 

$ adb shell /data/local/tmp/frida-server & 

This starts Frida on the device.

Step 3) Run the following command on the device: 

Next, list all the running processes of devices. We must now determine the id of our target application. Open a new terminal and type the following command:

$ frida-ps -U 

Step 4) Inject the fridascript.js script into the target application

Finally, we’ll use the following command to inject the fridascript.js script into the native application:

//frida -U -f <your_application_package_name> -l <path_to_fridascript.js_on_your_computer> --no-paus
$ frida -U -f -l D:\Android Testing\platform-tools\fridascript.js --no-paus

Step 5) Intercepting with Burp Suite

Burp Suite can now intercept all traffic from the target app. As long as we’re proxying traffic through Burp Suite, we’ll need to keep the Frida server running.

We have now successfully bypassed pinning. The Twitter app now trusts our MitM HTTPS proxy, allowing us to intercept and analyze the communication.
We can now study the content of each of those requests from here, or add rules to alter, mock, or completely block them.


By partnering with Redfox Security, you’ll get the best security and technical skills required to execute an effective and thorough penetration test. Our offensive security experts have years of experience assisting organizations in protecting their digital assets through penetration testing services. To schedule a call with one of our technical specialists, call 1-800-917-0850 now.

Redfox Security is a diverse network of expert security consultants with a global mindset and a collaborative culture. With a combination of data-driven, research-based, and manual testing methodologies, we proudly deliver robust security solutions.

“Join us on our journey of growth and development by signing up for our comprehensive courses, if you want to excel in the field of cybersecurity.”

Redfox Security Team

by Redfox Security Team

Redfox Security is a fast-growing cyber security consulting firm, spread across 4 countries. With over 10 years of global security consulting experience, we help businesses strengthen their security posture. Our mission is to help businesses grow securely with our top-line cyber security consulting services – and that’s exactly what we do.