Universal Android SSL Pinning Bypass #2

Following the frida script published last year by Piergiovanni, we found another way to bypass all SSL certificate checks performed by most applications on Android devices, obviously including SSL pinning. This means that it can be used also without installing a valid CA on the device, which makes it a very nice tool to have when performing mobile applications penetration testings.

The code is as follows:

In order to use it:

  • Launch the frida server on the device

  • Search for the application package name (assuming the device is connected over usb)

  • Spawn the application injecting our javascript code

The script can be downloaded from Frida CodeShare.