Hi folks,
Some times during application testing in Android platform, we come across a application which implements SSL (Certificate or public key) pinning. Hence, making it difficult to intercept the traffic using Web proxy during testing.
This post lists down tools already available on the internet for bypassing SSL pinning without touching the application code.
Prerequisites before using the tools:
Some times during application testing in Android platform, we come across a application which implements SSL (Certificate or public key) pinning. Hence, making it difficult to intercept the traffic using Web proxy during testing.
This post lists down tools already available on the internet for bypassing SSL pinning without touching the application code.
Prerequisites before using the tools:
- The mobile must be rooted.
- The tools used to bypass SSL pinning must be given Super User access/privilege.
- The CA certificate of the intercepting Web proxy must be installed in the mobile Certificate store.
Tools list for applications running on android platform version <=4.3:
As Cydia Subtrate is no longer supported for versions 4.4(KitKat) and above, below tools can be used for SSL pinning bypass in Android version 4.4 and above.
Download and install the apks as per your mobile's android version. Once installed, activate the modules (Android-SSL-Trust-Killer/JustTrustMe) in Cydia-Subtrate/Exposed-Framework and restart the mobile. Now, if everything is configured properly, you can successfully intercept the application traffic.
No comments:
Post a Comment