The Ultimate Guide to Android SSL Pinning Bypass
Content Overview
Most mobile applications that process payments or PII data have SSL pinning. OWASP Mobile Appsec Standard even recommends it for apps handling sensitive data. This guide will walk you through SSL Pinning basics, how it’s implemented, and various tools and methods to bypass such protection in the Android Apps.
The ebook covers offensive and defensive side of SSL Pinning and includes the following:
- Lower Android Version
- Using Frida Gadgeting
- Taint Analysis using Frida
- Using JustTrustMe - Xposed Module
- Using Objection framework
- Network Security Config Modification
- Frida Injection
- Miscellaneous (Android Trustkiller, Inspackage, etc.)
What is SSL Pinning
How is SSL Pinning Implemented
Bypassing SSL Pinning
What is Not SSL Pinning
How to Identify if SSL Pinning is Enabled
About Author
Chandrapal is a Security Researcher with deep knowledge of defensive as well as offensive security roles. He has a great hands on understanding of applications with modern security standards and architectures.
In past few engagements, he found some exceptional ways to bypass SSL pinning and hence he talked about SSL pinning in details in this e-book.