Skip to content

MASTG-TECH-0064: Bypassing Certificate Pinning

Some applications will implement SSL Pinning, which prevents the application from accepting an intercepted certificate as valid. This means that you will not be able to monitor the traffic between the application and the server.

For most applications, certificate pinning can be bypassed within seconds, but only if the app uses API functions covered by these tools. If the app is implementing SSL Pinning with a custom framework or library, the SSL Pinning must be manually patched and deactivated, which can be time-consuming.

This section describes various ways to bypass SSL Pinning and guides what to do when existing tools don't work.

Methods for Jailbroken and Non-jailbroken Devices

If you have a jailbroken device with frida-server installed, you can bypass SSL pinning by running the following objection command (see Injecting Frida Gadget into an IPA Automatically if you're using a non-jailbroken device):

ios sslpinning disable

Here's an example of the output:

See also Objection's help on Disabling SSL Pinning for iOS for further information and inspect the pinning.ts file to understand how the bypass works.

Methods for Jailbroken Devices Only

If you have a jailbroken device, you can try one of the following tools that can automatically disable SSL Pinning:

  • "SSL Kill Switch 2" is one way to disable certificate pinning. It can be installed via the Cydia store. It will hook onto all high-level API calls and bypass certificate pinning.
  • The Burp Suite app can also be used to bypass certificate pinning.

When the Automated Bypasses Fail

Technologies and systems evolve, and some bypass techniques may no longer work. Hence, it's part of the tester's work to conduct research, since not every tool can keep up with OS versions quickly enough.

Some apps might implement custom SSL pinning, so the tester could also develop new bypass scripts that leverage existing ones as a base or inspiration, using similar techniques to target the app's custom APIs. Here you can inspect three good examples of such scripts:

Other Techniques:

If you don't have access to the source, you can try binary patching:

  • If OpenSSL certificate pinning is used, you can try binary patching.
  • Sometimes, the certificate is a file in the application bundle. Replacing the certificate with Burp's certificate may be enough, but beware of the certificate's SHA sum. If it's hardcoded into the binary, you must replace it too!
  • If you can access the source code, you could try to disable certificate pinning and recompile the app, look for API calls for NSURLSession, CFStream, and AFNetworking, and methods/strings containing words like "pinning", "X.509", "Certificate", etc.

Tests

MASTG-TEST-0236: Cleartext Traffic Observed on the Network MASTG-TEST-0067: Testing Endpoint Identity Verification MASTG-TEST-0068: Testing Custom Certificate Stores and Certificate Pinning