SSL Pinning Bypass for Android Using Frida

Mobile application security testing has become one of the most critical disciplines in modern cybersecurity. Among the most frequently encountered defenses in Android applications is SSL pinning, a mechanism designed to prevent man-in-the-middle (MITM) attacks by restricting which certificates an app will trust. For penetration testers, bypassing this control is often a necessary step to assess how securely an app transmits sensitive data.

This guide walks through the complete process of bypassing SSL pinning on Android using Frida, one of the most powerful dynamic instrumentation toolkits available. Whether you are a seasoned security professional or expanding your mobile testing skillset, the techniques here are used daily by the expert team at Redfox Cybersecurity to uncover critical vulnerabilities before attackers do.

What Is SSL Pinning and Why Does It Matter

SSL pinning is a security technique where an application hardcodes the expected server certificate or public key directly into its code. Instead of relying on the standard certificate authority chain, the app compares the server's certificate against its own internal copy during the TLS handshake. If they do not match, the connection is rejected.

This means that even if a pentester installs a trusted proxy certificate like Burp Suite's CA on the device, the application will still refuse to establish a connection through the proxy. The result is that standard MITM interception fails entirely.

Why Pentesters Need to Bypass SSL Pinning

From a penetration testing perspective, bypassing SSL pinning is not about breaking encryption for malicious purposes. It is about analyzing the actual traffic flowing between the application and its backend, identifying:

• Sensitive data transmitted in cleartext or with weak parameters
• Authentication tokens, API keys, and session identifiers
• Business logic vulnerabilities hidden in API calls
• Insecure direct object references in endpoints

If you need professional support conducting thorough Android application security assessments, Redfox Cybersecurity's mobile penetration testing services are built to cover exactly this attack surface.

Understanding Frida and How It Works

Frida is a dynamic instrumentation toolkit that lets you inject JavaScript snippets into native apps. On Android, it works by attaching to a running process and hooking into functions at runtime, without needing the application's source code. This makes it ideal for bypassing runtime security controls like SSL pinning.

Frida operates in two primary modes:

Frida Server Mode: A binary runs on the rooted Android device and listens for instructions from the host machine via USB or network.

Frida Gadget Mode: A shared library is injected into the APK itself, useful when root access is not available.

This guide focuses on the rooted device approach, which is the most practical for lab-based penetration testing.

Setting Up Your Testing Environment

Before diving into bypass techniques, your environment needs to be properly configured. Here is what you need:

• A rooted Android device or emulator (Android 8.0 or higher recommended)
• ADB (Android Debug Bridge) installed on your host machine
• Python 3 installed
• Frida and Frida-tools installed on the host
• The target APK

Step 1: Install Frida Tools on the Host Machine

pip install frida-tools
pip install frida


Verify the installation:

frida --version


Step 2: Download and Deploy Frida Server on the Android Device

Identify your device's architecture first:

adb shell getprop ro.product.cpu.abi


Download the matching Frida server binary from the official Frida GitHub releases page. For example, for arm64:

wget https://github.com/frida/frida/releases/download/<version>/frida-server-<version>-android-arm64.xz
xz -d frida-server-<version>-android-arm64.xz


Push it to the device and configure permissions:

adb push frida-server-<version>-android-arm64 /data/local/tmp/frida-server
adb shell chmod 755 /data/local/tmp/frida-server


Step 3: Start the Frida Server on the Device

adb shell su -c "/data/local/tmp/frida-server &"


Confirm it is running:

adb shell ps | grep frida


Forward the Frida port to your host:

adb forward tcp:27042 tcp:27042


List running processes to confirm communication:

frida-ps -U


Bypassing SSL Pinning With Frida Scripts

With Frida running, the next step is to inject a script into the target application that overrides the SSL pinning logic at runtime.

Using the Frida Universal SSL Pinning Bypass Script

The most widely used approach is the Universal Android SSL Pinning Bypass script by sockeye. It patches multiple common SSL pinning implementations simultaneously, including OkHttp, TrustManager, and Webview-based pinning.

First, identify the application's package name:

frida-ps -Ua


This lists all installed and running applications. Locate your target. Then run the bypass:

frida -U -f com.target.application --no-pause -l ssl_pinning_bypass.js


The ssl_pinning_bypass.js file contains the hook logic. A minimal version targeting Android's TrustManager looks like this:

Java.perform(function () {
   var TrustManager = Java.registerClass({
       name: 'com.custom.TrustManager',
       implements: [Java.use('javax.net.ssl.X509TrustManager')],
       methods: {
           checkClientTrusted: function (chain, authType) {},
           checkServerTrusted: function (chain, authType) {},
           getAcceptedIssuers: function () { return []; }
       }
   });

   var SSLContext = Java.use('javax.net.ssl.SSLContext');
   SSLContext.init.overload(
       '[Ljavax.net.ssl.KeyManager;',
       '[Ljavax.net.ssl.TrustManager;',
       'java.security.SecureRandom'
   ).implementation = function (km, tm, sr) {
       this.init(km, [TrustManager.$new()], sr);
   };
});


Save this as ssl_pinning_bypass.js and inject it as shown above.

Bypassing OkHttp Certificate Pinner Specifically

Many modern Android apps use OkHttp as their HTTP client. OkHttp has its own CertificatePinner class that needs to be targeted directly:

Java.perform(function () {
   var CertificatePinner = Java.use('okhttp3.CertificatePinner');

   CertificatePinner.check.overload('java.lang.String', 'java.util.List')
   .implementation = function (hostname, peerCertificates) {
       console.log('[*] OkHttp SSL Pinning bypassed for: ' + hostname);
       return;
   };

   CertificatePinner.check.overload('java.lang.String', '[Ljava.security.cert.Certificate;')
   .implementation = function (hostname, peerCertificates) {
       console.log('[*] OkHttp SSL Pinning bypassed for: ' + hostname);
       return;
   };
});


Inject it the same way:

frida -U -f com.target.application --no-pause -l okhttp_bypass.js


Targeting Trustkit-Based Pinning

TrustKit is another popular library for implementing SSL pinning on Android. To bypass it:

Java.perform(function () {
   var OkHostnameVerifier = Java.use('com.datatheorem.android.trustkit.pinning.OkHostnameVerifier');

   OkHostnameVerifier.verify.overload('java.lang.String', 'javax.net.ssl.SSLSession')
   .implementation = function (hostname, session) {
       console.log('[*] TrustKit bypass for: ' + hostname);
       return true;
   };
});


Advanced Techniques for Heavily Hardened Applications

Some applications implement custom pinning logic that generic scripts cannot bypass out of the box. These require a more targeted approach.

Locating Custom Pinning Logic With Frida's Tracer

Use Frida's built-in tracer to watch which methods get called during the TLS handshake:

frida-trace -U -f com.target.application -j '*!*certificate*'


This traces all methods containing the word "certificate" across all classes in real time. Review the output to identify the specific class and method implementing the pinning check.

Hooking a Custom Method Dynamically

Once you identify the target method, write a specific hook:

Java.perform(function () {
   var CustomPinner = Java.use('com.target.application.security.NetworkSecurity');

   CustomPinner.verifyCertificate.implementation = function (cert) {
       console.log('[*] Custom pinner hooked, returning true');
       return true;
   };
});


This level of customization is precisely where professional expertise becomes invaluable. The team at Redfox Cybersecurity routinely handles hardened applications where generic tools fail, using manual reverse engineering to identify and defeat custom security implementations.

Routing Traffic Through Burp Suite After Bypass

With SSL pinning defeated, the next step is capturing the application's traffic through Burp Suite.

Configure your Android device to use your host machine as a proxy:

adb shell settings put global http_proxy <host-ip>:8080


In Burp Suite, ensure the proxy listener is set to accept connections on all interfaces. With the Frida script running and the proxy configured, launch the app and observe decrypted traffic flowing into Burp's HTTP history.

To reset the proxy after testing:

adb shell settings delete global http_proxy


Common Errors and How to Resolve Them

Even with the right tools, you will encounter issues. Here are the most common ones:

Error: "Frida server version mismatch"Ensure the Frida server binary version matches the frida-tools version installed on the host. Run pip install frida==<version> to align them.

Error: "Unable to attach to process"The application may have anti-Frida detection. Try spawning the app with Frida rather than attaching to an existing process: use the -f flag as shown in the commands above.

Error: Script hooks not triggeringThe app may use a different pinning library than expected. Use frida-trace to enumerate active methods and identify the correct class.

Error: App crashes immediately after injectionThe app may detect Frida's presence. Consider using a Frida gadget embedded in a repackaged APK, or use Objection, which wraps Frida with additional evasion capabilities:

objection -g com.target.application explore


Then inside the Objection shell:

android sslpinning disable


Why SSL Pinning Bypass Is a Core Penetration Testing Skill

SSL pinning bypass is not a niche edge case; it is a fundamental requirement for any serious Android application security assessment. Without the ability to intercept encrypted traffic, critical vulnerability classes remain completely invisible, including broken authentication, mass assignment, sensitive data exposure, and insecure API design.

Attackers with sufficient motivation will invest the time to bypass these controls. The question is whether your organization discovers these weaknesses first during a controlled assessment, or after a breach. Redfox Cybersecurity's penetration testing services are designed to answer that question with confidence, giving your team the actionable findings needed to harden your applications before they reach threat actors.

Wrapping Up

Frida is an extraordinarily capable tool for Android penetration testing, and SSL pinning bypass is one of its most practical applications. Mastering the techniques covered here, from deploying the Frida server and running universal bypass scripts to hooking custom implementations and routing traffic through Burp, gives you the capability to conduct a complete API security assessment on any Android application.

The commands and scripts in this guide provide a strong foundation, but real-world applications often require deeper analysis, reverse engineering, and tool customization. If your organization needs expert support assessing Android applications, APIs, or broader mobile attack surfaces, the Redfox Cybersecurity team brings the depth of experience needed to find what automated scanners and generic scripts miss.

Engage Redfox Cybersecurity today to get a thorough, manual mobile penetration test that goes beyond surface-level findings and delivers the kind of security assurance your applications actually need.