Bypass certificate pinning on rooted android device

First of all, install Magisk on rooted device and then install TrustUserCertificates plugin:

Now you can install the Charles self-signed certificate on your device, as a standard User Custom Certificate, and then reboot your phone: the magisk plugin will do the magic and copy che Charles SSL certificate in the System Certificate Authorities list.

In this way, now you can intercept all the device apps using Charles, also production builds or APK downloaded from the Google Play Store.

But if an app uses SSL Certificate Pinning, Charles cannot intercept the encrypted traffic, so another step is required:

  • Download latest FRIDA server for android: link to the latest version. Download the android version and copy the executable file to your mobile phone, under /data/local/tmp folder.
  • Start frida on mobile phone
  • Install objection from github: link to the Github project.
  • run the following command
    • objection -g PACKAGE_NAME explore -q
    • android sslpinning disable
 

sarbyn

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.