SSL Pinning
Secure Socket Layering helps to protect communications from nefarious third parties.
Software engineers may need to disable SSL pinning for certain applications such as development and testing. For a more in-depth explanation, please refer to this article about certificates and public key pinning.
Bypass SSL Pinning
To bypass SSL pinning, you must first understand how the app implements it. Does the app rely on the default iOS or Android networking stack, or does it implement custom SSL pinning logic?
Identify if an App Uses Custom SSL Pinning
iOS
-
Attempt to proxy traffic from your application using a jailbroken virtual iOS device using MITM tool like Burp Suite.
-
If no traffic appears, but traffic from Safari does, it's likely the app implements custom SSL pinning.
Android
-
Attempt to proxy traffic from your application using an Android virtual device using MITM tool like Burp Suite.
-
If no traffic appears, but traffic from a default app like WebView does, the app likely uses custom SSL pinning.
Use the Corellium Javascript v1 API (iOS Only)
These methods apply only to bypassing and managing certificate validation in the default iOS networking stack. If you've confirmed your application implements custom SSL pinning, these methods will not bypass it. You should look to use Frida or the built-in Network monitor.
The method isSSLPinningEnabled() returns a boolean value to check the current state of the SSL pinning bypass.
await agent.isSSLPinningEnabled();
-
Jailbroken devices will have iOS SSL pinning disabled by default.
-
Non-jailbroken devices will have this enabled by default.
To disable SSL pinning, use the disableSSLPinning() method. This disables the certificate validation for the default iOS networking stack.
await agent.disableSSLPinning();
To re-enable SSL pinning afterward, use the enableSSLPinning() method. This effectively restores iOS default networking behavior, meaning you must install and trust your proxy's CA certificate for interception to work for apps that use default iOS networking stack.
await agent.enableSSLPinning();
Frida
Since Frida operates at runtime and provides full control over both Java and native (C/C++) memory and methods, it’s a highly effective tool for bypassing custom SSL pinning.
iOS
For custom SSL pinning implementations, a custom Frida script will likely be needed. You can find example scripts from Frida Codeshare to help you get started.
Android
For apps that use the default Android networking stack, all rooted Androids have a Frida script called ssl_pinning.js
that can be used to bypass the default network stack pinning.
For apps that implement custom SSL pinning mechanisms, you can try to use example scripts from Frida Codeshare. Advanced applications will likely require custom Frida logic developed for the app's specific implementation.
Built-in Network Monitor
To help proxy traffic from applications that implement custom SSL pinning, we provide a built-in network monitor in the web interface that automatically attempts to defeat the pinning, allowing you to inspect HTTP traffic. Here's an overview of how it works.