# SSL Pinning bypass (Android Emulator) Over the weekend, I was taking a look at an application which implemented SSL pinning. Here's the technique I used to bypass pinning and view the raw requests sent to the application server which then helped me to uncover crucial details about the application's functionality. --- # Prerequisites * An android emulator of choice * Burpsuite (installed on host machine) * Python packages * `objection` If you face issues post-installation: ```plaintext pip install --upgrade setuptools ``` * `frida` * `frida-tools` --- # Configure Burp Proxy `on host` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1705250826510/1ff63945-7476-4242-92f2-4bbf5daa503a.png align="center") `on emulator` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1705250862153/fce6cfa4-63a0-497e-b005-381644fc9592.png align="center") --- # Install Certificate onto emulator ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1705251164775/f8894acf-6ba4-468d-a4f2-6cff31144438.png align="center") Launch the browser and head to `http://burp` and download the CA Certificate. ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1705251608214/dfd5cbd8-0468-432b-b353-8450fd2c1f81.png align="center") Make sure to rename the cert to `.cer` via the file manager. ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1705251826042/e969a6d5-8852-40cf-8f2f-7349b6306879.png align="center") Then head to the certificate settings on the respective emulator and install the newly downloaded certificate. --- # Frida Server [Releases ยท frida/frida (github.com)](https://github.com/frida/frida/releases) ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1705251928126/4b37472e-bbaf-412c-80bd-cd64a2ec23c7.png align="center") ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1705252120384/7e1fcae0-b7b9-4388-aab7-8ec122422a1a.png align="center") download the unzip the respective frida-server versions, extract it and move it to the bin location of your emulator. In my case : `D:\Program Files\Nox\bin` ```plaintext adb devices ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1705252247247/b6b2d817-6e76-4eb1-a701-f747bc74df34.png align="center") verify that the adb interface is attached to the device. ```plaintext adb push frida /data/local/tmp ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1705252305322/26bd5a28-e1c9-488a-86a0-0ee5d3b681d7.png align="center") Push the frida binary to the device via ADB. ```plaintext D:\Program Files\Nox\bin>adb shell cd /data/local/tmp/ chmod +x frida ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1705252496167/10a418d7-79f9-4b71-a2ce-747e41955f27.png align="center") Give the binary execute permissions. ```plaintext ./frida & ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1705252534251/0387b7cd-4991-4063-a155-d85e465c870b.png align="center") Run frida server in the background. --- # Bypass SSL Pinning There are a ton of scripts developed by the community for frida which you can find [here](https://codeshare.frida.re/). We'll be making use of the `frida-multiple-unpinning` script for our use case. ```plaintext frida --codeshare akabe1/frida-multiple-unpinning -U -f com.twitter.android ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1705252663468/cf81b425-db49-42d0-9ab6-64f0492a4017.png align="center") ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1705252808046/40eeb861-3e66-40d0-9770-bec1960a57e4.png align="center") ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1705252949401/69086f33-6ee7-4f32-832b-dc235cb2197f.png align="center") We can verify that the `X` AKA `twitter` app has opened up and the SSL pinning bypass is in effect. ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1705253043809/ad283116-3ab6-4ceb-a0dd-3404a089e76f.png align="center") We can then take a look at burp and ensure that we are able to see the raw requests sent by the `X` app to its api server.