All SkillsGet Started Free
Performing Mobile App Certificate Pinning Bypass
Bypasses SSL/TLS certificate pinning implementations in Android and iOS applications to enable traffic interception during authorized security assessments. Covers OkHttp, TrustManager, NSURLSession, and third-party pinning library bypass techniques using Frida, Objection, and custom scripts. Activates for requests involving certificate pinning bypass, SSL pinning defeat, mobile TLS interception, or proxy-resistant app testing.
MCP get_skill({ skillId: "performing-mobile-app-certificate-pinning-bypass-07e145fe" })Use this skill with your agent
Create a free account and connect via MCP
# Performing Mobile App Certificate Pinning Bypass
## When to Use
Use this skill when:
- Mobile app refuses connections through a proxy due to certificate pinning
- Performing authorized security testing requiring HTTPS traffic interception
- Assessing the strength and bypass difficulty of pinning implementations
- Evaluating defense-in-depth of mobile app network security
**Do not use** to bypass pinning on apps without explicit testing authorization.
## Prerequisites
- Burp Suite configured as proxy with listener on all interfaces
- Rooted Android device or jailbroken iOS device
- Frida server running on target device
- Objection installed (`pip install objection`)
- Target app installed and reproducing the pinning behavior
## Workflow
### Step 1: Identify Pinning Implementation
**Android pinning methods to identify:**
```
1. Network Security Config (res/xml/network_security_config.xml)
<pin-set> with certificate hash pins
2. OkHttp CertificatePinner
CertificatePinner.Builder().add("api.target.com", "sha256/...")
3. Custom TrustManager
X509TrustManager overrides in code
4. Third-party libraries
- TrustKit
- Certificate Transparency checks
```
**iOS pinning methods:**
```
1. NSURLSession delegate (URLSession:didReceiveChallenge:)
2. ATS (App Transport Security) with custom trust evaluation
3. TrustKit framework
4. Alamofire ServerTrustPolicy
5. Custom SecTrust evaluation
```
### Step 2: Bypass with Objection (Quickest Approach)#mukul-cybersecurity-skills#security#cybersecurity#applicationandroidiosfridaobjectionburp-suite