Following the frida script published last year by Piergiovanni, we found another way to bypass all SSL certificate checks performed by most applications on Android devices, obviously including SSL pinning. This means that it can be used also without installing a valid CA on the device, which makes it a very nice tool to have when performing mobile applications penetration testings.

The code is as follows:

Universal Android SSL Pinning Bypass Java.perform(function() { var array_list = Java.use("java.util.ArrayList"); var ApiClient = Java.use('com.android.org.conscrypt.TrustManagerImpl'); ApiClient.checkTrustedRecursive.implementation = function(a1,a2,a3,a4,a5,a6) { // console.log('Bypassing SSL Pinning'); var k = array_list.$new(); return k; } },0); 1 2 3 4 5 6 7 8 9 10 11 12 Java . perform ( function ( ) { var array_list = Java . use ( "java.util.ArrayList" ) ; var ApiClient = Java . use ( 'com.android.org.conscrypt.TrustManagerImpl' ) ; ApiClient . checkTrustedRecursive . implementation = function ( a1 , a2 , a3 , a4 , a5 , a6 ) { // console.log('Bypassing SSL Pinning'); var k = array_list . $ new ( ) ; return k ; } } , 0 ) ;

In order to use it:

Launch the frida server on the device

$ adb devices $ adb root $ adb shell klte:/# ./frida-server 1 2 3 4 $ adb devices $ adb root $ adb shell klte : / # ./frida-server

Search for the application package name (assuming the device is connected over usb)

frida-ps -Uai 1 frida - ps - Uai

Spawn the application injecting our javascript code

frida -U -f org.package.name -l universal-ssl-check-bypass.js --no-pause 1 frida - U - f org . package . name - l universal - ssl - check - bypass . js -- no - pause

The script can be downloaded from Frida CodeShare.

Enjoy!