Monday, May 5, 2025
HomeAndroidBypassing and Disabling SSL Pinning on Android to Perform Man-in-the-Middle Attack

Bypassing and Disabling SSL Pinning on Android to Perform Man-in-the-Middle Attack

Published on

SIEM as a Service

Follow Us on Google News

Certificate Pinning is an extra layer of security to achieve protection against man-in-the-middle. It ensures only certified Certificate Authorities (CA) can sign certificates for your domain, and not any CA in your browser store.

Application developers implement Certificate pinning to avoid reverse engineering, it allows developers to specify which certificate the application is allowed to trust. Instead of relying on the certificate store.

Analyzing Source Code for SSL Pinning

By searching for strings like “checkClientTrusted” or “checkServerTrusted“, it would show you a piece of code with pinning.

- Advertisement - Google News

If the code isn’t obfuscated, then we will modify the code to get rid of the pinning, recompile, and sign with the APKTOOL.

Also, you can do a static analysis with a Security framework like MOBSF, if you find “Certificate/Key Files Hard-coded inside the App” or “Hardcoded Keystore Found” then it has SSL pinning.

Also Read Complete Android penetration Testing Checklist

Bypass SSL Pinning

In order to disable the promise, we want to decompile the application file and find the method bound for pinning control and remove the check. The end goal is to have the client accept your own SSL certificate as valid.

We are taking an Android application in our scenario, if you have the device rooted then you can use Xposed Framework modules available to disable SSL Pinning. It is a very simple and straightforward method.

But the best way is to conduct a manual review by disassembling the apk you will need to locate where within the small source code the certificate pinning checks are done.

$ apktool -d test.apk

Searching the small code for keywords such as “X509TrustManager”, “cert”, “pinning”, to find where the certificate pinning login is keywords such as “X509TrustManager”, “cert”, “pinning”, etc, to find where the certificate pinning login is performed.

Once you have finished modifying the code need to compile and resign the app with a developer certificate. The code signing certificate here provides integrity and ensures the application does not tamper.

$ apktool b test/ -o example.modified.apk

After this, the app needs to just be reinstalled on the device and tested. Once installed the app still, works, as supposed, however, is currently prone to a man-in-the-middle attack as a result of the pinned certificate being bypassed.

Bypassing certificate pinning either of those ways permits you to effectively conduct a man-in-the-middle attack on the apps that are shielded with HTTPS and SSL having the ability to intercept session tokens and even seeing usernames and passwords in plain text in a tool like a burp suite or fiddler.

Mitigation – Bypass SSL

The certificate is tended to expire as per the CAB forum CA certificates will not be issued for a maximum period of 3 years. So you should plan an app update with an updated certificate.

We should implement obfuscation methods to avoid our source code to be decompiled. You can submit an app for pentesting companies for source code analysis.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Gunra Ransomware’s Double‑Extortion Playbook and Global Impact

Gunra Ransomware, has surfaced as a formidable threat in April 2025, targeting Windows systems...

Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers

Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21...

Hackers Target HR Departments With Fake Resumes to Spread More_eggs Malware

The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its...

RomCom RAT Targets UK Organizations Through Compromised Customer Feedback Portals

The Russian-based threat group RomCom, also known as Storm-0978, Tropical Scorpius, and Void Rabisu,...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

GPUAF: Two Methods to Root Qualcomm-Based Android Phones

Security researchers have exposed critical vulnerabilities in Qualcomm GPU drivers, impacting a vast array...

SpyMax Android Spyware: Full Remote Access to Monitor Any Activity

Threat intelligence experts at Perplexity uncovered an advanced variant of the SpyMax/SpyNote family of...

43% of Top 100 Enterprise Mobile Apps Expose Sensitive Data to Hackers

A comprehensive study by zLabs, the research team at Zimperium, has found that over...