Your target has an Android application and you want to walk through their API to check for server-side vulnerabilities. You configure the emulator to use Burp Suite as a proxy and begin using the app.

Using the Android emulator with a proxy.

Suddenly, the app stops working. Nothing shows in Burp and no HTTPS requests work. The developers have implemented SSL pinning and your phony certificate has been detected. Fortunately, SSL pinning can be disabled if you’re willing to get your hands dirty.

Decompiling the App

First, you need to decompile the app. Apktool works great for this, and it’s available on all platforms. Follow the install instructions and then decompile the APK.

Decompiling an app with apktool.

This command will produce a directory with the AndroidManifest.xml, resource files and Smali bytecode.

Removing the pin

Next, you’ll need to remove the pinned certificate from the application. It’s easiest to use grep to look for “CertificatePinner”.

Finding uses of CertificatePinner with grep.

This will return a list of files in the app that use SSL pinning with OkHttp. It will bring up instances in third party libraries that may need to be disabled as well. Look through to see where the app is pinning its certificate. Once you find it, open the file in your favourite text editor. According to OkHttp’s CertificatePinner documentation, certificate hashes are added using the CertificatePinner.Builder’s add method. We need to look for the Smali bytecode that corresponds with the method call and remove it to neuter the SSL pinning.

Adding a certificate in Smali.

Removing the two lines above will get rid of a pinned certificate. You’ll have to repeat this for every certificate hash the app pins.

Rebuilding the APK

After you’ve removed the SSL pinning, rebuild the APK using apktool. You’ll have to zipalign the APK and resign it with your signing key to get Android to accept it.

Rebuilding the APK.

If you don’t have a signing key, you can generate one using keytool.

Generating a key using keytool.

Finally, install the APK on the target device. If the previous version is already installed, you’ll have to uninstall it so Android doesn’t detect the different signatures.

After doing this, you should be able to intercept requests from the app.

Happy hacking!