> For the complete documentation index, see [llms.txt](https://sec88.0x88.online/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sec88.0x88.online/android-appsec/ssl-pinning-bypass.md).

# SSL Pinning Bypass

{% embed url="<https://redhuntlabs.com/wp-content/uploads/2023/07/Ultimate-Guide-to-SSL-Pinning-Bypass-RedHunt-Labs.pdf>" %}

{% embed url="<https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0012/>" %}

### Xposed

**Xposed** is a framework for Android that lets you change how apps and the system behave **without modifying the APKs or flashing a custom ROM**.

* <https://github.com/ViRb3/TrustMeAlready>
* [**https://github.com/Fuzion24/JustTrustMe**](https://github.com/Fuzion24/JustTrustMe)
* <https://github.com/ac-pm/SSLUnpinning_Xposed>

### Frida

Frida is a dynamic instrumentation framework that allows you to hook and change the mobile app's logic at runtime. Frida is so powerful that it "requires its own ultimate" guide to list all its features.

```
xz -d frida-server-17.2.15-android-arm64.xz
mv frida-server-17.2.15-android-arm64 frida-server
adb push frida-server /data/local/tmp/
adb shell
cd /data/local/tmp
chmod 755 frida-server
./frida-server &
frida-ps -Uia | grep -i pinning
frida --codeshare akabe1/frida-multiple-unpinning -U -f <appname>
frida -U -N org.secuso.privacyfriendlydicer
## hook the pplication before running 
frida -U -f org.secuso.privacyfriendlydicer -l hook.js
frida -U -f org.secuso.privacyfriendlydicer -l hook.js --no-pause
```

### Objection

```
pip3 install objection
objection patchapk -s package.apk
objection explore --startup-command 'android sslpinning disable'
```

### Frida Gadget

You can automate this by using the above Objection command:

```
objection patchapk -s package.apk
```

Else, you can follow the manual way of patching the apk [described in this guide](https://koz.io/using-frida-on-android-without-root/).

Once the APK is patched, install Frida tools on the attacker machine using `pip3 install frida-tools`. After installing, you will see programs like frida, frida-ps, frida-Is-devices on your system.<br>

Install the patched APK on an Android device and open it. The app waits till Frida connects to the Frida gadget. The output of

<figure><img src="/files/4nLthNhPNWDI1vhE2hwN" alt=""><figcaption></figcaption></figure>

### APKLAB

{% embed url="<https://apklab.surendrajat.xyz/docs/user-guide/getting-started/>" %}

### Android SSL Trustkiller

{% embed url="<https://github.com/iSECPartners/Android-SSL-TrustKiller>" %}

### Inspeckage

{% embed url="<https://github.com/ac-pm/Inspeckage>" %}

### Flutter Application

* ProxyDroid for global tunneling
* Frida scripts to bypass SSL pinning
* reFlutter
* Modify APK
* [Diable TLS Verification](https://github.com/NVISOsecurity/disable-flutter-tls-verification) -> A Frida script that disables Flutter's TLS verification -> [Read Here](https://wahaz.medium.com/finally-ssl-pinning-for-flutter-bypassed-after-frustration-4573e15ed18e)
* <https://github.com/NVISOsecurity/disable-flutter-tls-verification> | `frida -U -f com.google.android.apps.adwords -l disable-flutter-tls.js`

{% embed url="<https://thecybersandeep.medium.com/intercepting-flutter-applications-traffic-on-burpsuite-using-tunproxy-and-frida-474d6241b137>" %}

### Code to Add in “main.dart” <a href="#id-7c81" id="id-7c81"></a>

```
class MyHttpOverrides extends HttpOverrides {
  @override
  HttpClient createHttpClient(SecurityContext? context) {
    if (Platform.isAndroid) {
      return super.createHttpClient(context)..badCertificateCallback = (X509Certificate cert, String host, int port) => true;
    }

    return super.createHttpClient(context)
      ..findProxy = (uri) {
        return "PROXY IP:PORT";
      }
      ..badCertificateCallback = (X509Certificate cert, String host, int port) => true;
  }
}
```

### Modifying “`main()"`: <a href="#id-5d7c" id="id-5d7c"></a>

```
HttpOverrides.global = MyHttpOverrides();
```

With this setup, I could run ProxyDroid and intercept the application’s traffic without needing an SSL pinning bypass.

{% embed url="<https://medium.com/@k3r0/how-i-discovered-a-0-click-account-takeover-ato-vulnerability-in-a-flutter-application-74c7a5c4dc70>" %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://sec88.0x88.online/android-appsec/ssl-pinning-bypass.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.