Certificate Pinning - Documentation

Link to this headingCertificate Pinning

Search for “verify”, “check”, “TLS”, “SSL”, and “X509”.

Link to this headingOKHTTP

Link to this headingHooking

Most bypassing can be done by running the CertificateBypass() function from the frida_android_helper_functions.js frida Library.

Link to this headingPatch the APK

Recompile the Smali:

>> cat okhttp3/CertificatePinner.smali const-string v11, "sha256/" invoke-virtual {v10, v11}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z move-result v10 if-eqz v10, :cond_5 .line 162 if-nez v8, :cond_3 invoke-static {v9}, Lokhttp3/CertificatePinner;->sha256(Ljava/security/cert/X509Certificate;)Lokio/ByteString; move-result-object v8 .line 163 :cond_3 iget-object v10, v4, Lokhttp3/CertificatePinner$Pin;->hash:Lokio/ByteString; invoke-virtual {v10, v8}, Lokio/ByteString;->equals(Ljava/lang/Object;)Z move-result v10 if-nez v10, :cond_0 //Change to if-eqz .line 159 :cond_4 add-int/lit8 v3, v3, 0x1 goto :goto_2

Link to this headingInternal Android (API XX+)

Link to this headingNon HTTPS Protocols

Capture the network traffic with [TCPDump](/Red Team/TCPDump) and use frida to get the NSS keylog to decrypt the data using this tool.