
Introduction
Modern requirements to mobile data processing apps designed for work with personal and financial data include secure data transfer over the Internet. SSL pinning is a mechanism used to satisfy this requirement: it enables the user to identify a server based on an SSL certificate stamp embedded into the app. This makes Man-In-the-Middle attacks almost impossible and prevents the interception of the data traffic between a client and a server.
At the same time, this mechanism complicates the application analysis during penetration testing involving BlackBox or GreyBox methods because the pentester has to identify this mechanism and implement some workaround to intercept the traffic and analyze the client–server interaction. This article describes one of the ways to overcome SSL pinning in Android apps.
Research
When our team received an app for research, it was only known that it uses SSL Pinning and Root / Emulator Detection. In addition, the development team reported that during previous penetration tests, the attacking team turned off these checks, so that should have been complicated.
An .apk file was downloaded for research and launched in the emulator with root rights and write access to the system memory area. After installing the app and setting up the emulator, we attempted to configure the proxy settings with the purpose to intercept the communication with the server, but unsuccessfully. Therefore, it was decided to decompile the application and examine the source code in order to identify the security mechanism.
Decompiling
The Jadx-GUI Android decompiler was chosen for decompilation and examination of the application source code. After loading the app into the decompiler, we got something like shown on the picture below:
The screenshot indicates that the app contains various classes, including the okhttp3 class —a library that allows you to manage the HTTP interactions of the app and includes a module for interaction with SSL Pinning. Further examination of the library has shown that there is nothing related to SSL Pinning in it.
Still, there is a protection mechanism, so we attempted to locate it using a code search. In the official okhttp3 library documentation, we found the name of the class related to the protection mechanism. Then we switched to Jadx-Gui and launched the search.
The search results are shown on the screenshot below:
As can be seen, this class is used in a huge number of places in the code. After examining the code of the io.intercom.okhttp3.CertificatePinner class, we located the public Builder add (String str, String … strArr) method; according to the official documentation, this method is used to associate a host with the sha256 hash of the certificate, and if it does not match, an exception is generated.
A search by the method name brought more than 4000 results, which indicates that the current approach is ineffective and a new one is required. Therefore, we run a search by the known hostname.
As can be seen, there are 2 function calls whose first parameter is the sought host. The second parameter is some sha256 hash, which indicates that this may be the target function. After jumping to the place of the call, we found another call of this function for two more domains. Our next step is to make sure that the protection mechanism is based on the okhttp3 library.
Success! We can replace the signatures of the certificates with the signatures of the certificate of our proxy here. The following 2 commands are used to generate sha256 for our certificate:
openssl x509 -inform der -in Burp.cer -out BurpPem.pem
openssl x509 -in BurpPem.pem -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha1 -binary | openssl enc -base64
We unpack the application using apktool:
apktool d Application.apk
vim g/a/b/j.smali
Next, we find the string with the target hashes, replace them with the new ones that we have generated for our certificate, and rebuild the app
apktool b Application/ -o Application-without-SSLPinning.apk
Finally, the app is signed with a pre-generated signature
keytool -genkey -v -keystore my-release-key.keystore -alias Cyberlands -keyalg RSA -keysize 2048 -validity 10000
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore Application-without-SSLPinning.apk Cyberlands
Now we can install the app on the emulator phone, configure the proxy, and examine the app’s traffic.
Conclusions
SSL Pinning can be bypassed in many ways, including both automated (e.g. frida.re) and manual (like the one shown above) techniques. The selection of a specific method depends on the implementation you are dealing with. In future articles, we will examine other methods used to bypass SSL Pinning and Root Detection, both automated and manual ones.

2022.04.04 — Fastest shot. Optimizing Blind SQL injection
Being employed with BI.ZONE, I have to exploit Blind SQL injection vulnerabilities on a regular basis. In fact, I encounter Blind-based cases even more frequently…
Full article →
2023.03.03 — Nightmare Spoofing. Evil Twin attack over dynamic routing
Attacks on dynamic routing domains can wreak havoc on the network since they disrupt the routing process. In this article, I am going to present my own…
Full article →
2023.02.13 — First Contact: Attacks on Google Pay, Samsung Pay, and Apple Pay
Electronic wallets, such as Google Pay, Samsung Pay, and Apple Pay, are considered the most advanced and secure payment tools. However, these systems are also…
Full article →
2023.04.20 — Sad Guard. Identifying and exploiting vulnerability in AdGuard driver for Windows
Last year, I discovered a binary bug in the AdGuard driver. Its ID in the National Vulnerability Database is CVE-2022-45770. I was disassembling the ad blocker and found…
Full article →
2022.02.09 — F#ck da Antivirus! How to bypass antiviruses during pentest
Antiviruses are extremely useful tools - but not in situations when you need to remain unnoticed on an attacked network. Today, I will explain how…
Full article →
2023.02.21 — Herpaderping and Ghosting. Two new ways to hide processes from antiviruses
The primary objective of virus writers (as well as pentesters and Red Team members) is to hide their payloads from antiviruses and avoid their detection. Various…
Full article →
2022.06.01 — Log4HELL! Everything you must know about Log4Shell
Up until recently, just a few people (aside from specialists) were aware of the Log4j logging utility. However, a vulnerability found in this library attracted to it…
Full article →
2023.02.12 — Gateway Bleeding. Pentesting FHRP systems and hijacking network traffic
There are many ways to increase fault tolerance and reliability of corporate networks. Among other things, First Hop Redundancy Protocols (FHRP) are used for this…
Full article →
2022.06.01 — Routing nightmare. How to pentest OSPF and EIGRP dynamic routing protocols
The magic and charm of dynamic routing protocols can be deceptive: admins trust them implicitly and often forget to properly configure security systems embedded in these protocols. In this…
Full article →
2022.04.04 — Elephants and their vulnerabilities. Most epic CVEs in PostgreSQL
Once a quarter, PostgreSQL publishes minor releases containing vulnerabilities. Sometimes, such bugs make it possible to make an unprivileged user a local king superuser. To fix them,…
Full article →