Mobile Ssl Pinning Bypass
Intercept HTTPS from Android or iOS apps that pin certificates or public keys so you can debug APIs or run authorized mobile pentests.
Overview
Mobile SSL Pinning Bypass is an agent skill for the Ship phase that documents how to defeat certificate and public-key pinning on Android and iOS apps—including Flutter, React Native, and Xamarin—so HTTPS traffic can be
Install
npx skills add https://github.com/yaklang/hack-skills --skill mobile-ssl-pinning-bypassWhat is this skill?
- Maps certificate pinning, public key pinning, and SPKI hash pinning with resilience and where each appears
- Android and iOS bypass paths: Frida, Objection, Xposed, SSL Kill Switch, and related hook strategies
- Framework-specific guidance for Flutter, React Native, and Xamarin hook points base models often miss
- Troubleshooting for non-standard and multi-layer pinning stacks
- Routes to broader Android/iOS pentesting and api-sec skills after traffic is visible
- Documents three pinning types: certificate pinning, public key pinning, and SPKI hash pinning
- Includes framework-specific bypass notes for Flutter, React Native, and Xamarin
Adoption & trust: 1.1k installs on skills.sh; 980 GitHub stars; 1/3 security scanners passed (skills.sh audits).
What problem does it solve?
Your mobile app pins TLS and Burp or Charles shows no decryptable API calls, blocking debugging and security review.
Who is it for?
Solo builders shipping mobile clients who need to debug pinned production builds or run structured mobile pentests on Android and iOS.
Skip if: Server-only backends with no mobile TLS client, or bypass attempts on third-party apps without written permission.
When should I use this skill?
Intercepting HTTPS traffic from mobile applications that implement certificate pinning, public key pinning, or SPKI hash pinning on Android and iOS, including React Native, Flutter, and Xamarin.
What do I get? / Deliverables
You choose a pinning-type-aware bypass method, restore MITM visibility, and can hand off decrypted traffic to API-level security testing workflows.
- Platform- and framework-matched bypass procedure
- Pinning-type classification for the target app
- Checklist to validate decrypted API traffic before deeper API tests
Recommended Skills
Journey fit
Ship → Security is the canonical shelf because SSL pinning bypass is used during security assessment and pre-release hardening of mobile clients, not during initial ideation. Pinning bypass is a mobile appsec procedure once you need visibility into TLS-protected API traffic on real devices or emulators.
How it compares
Focused on TLS pinning defeat on devices; use api-sec skills after interception, not instead of platform-specific mobile setup.
Common Questions / FAQ
Who is mobile-ssl-pinning-bypass for?
It is for mobile developers and security testers who already use proxies or Frida and need playbook-level steps when standard trust-store installation fails due to pinning.
When should I use mobile-ssl-pinning-bypass?
Use it during Ship security or hardening when an Android or iOS build implements certificate, public key, or SPKI pinning and you must inspect HTTPS for debugging or authorized assessment.
Is mobile-ssl-pinning-bypass safe to install?
It describes invasive device hooks and MITM techniques—install only for apps you own or are contracted to test, and check the Security Audits panel on this Prism page before adding it to an agent.
Workflow Chain
Then invoke: api sec, android pentesting tricks
SKILL.md
READMESKILL.md - Mobile Ssl Pinning Bypass
# SKILL: Mobile SSL Pinning Bypass — Expert Attack Playbook > **AI LOAD INSTRUCTION**: Expert SSL pinning bypass techniques for mobile platforms. Covers Android and iOS bypass methods (Frida, Objection, Xposed, SSL Kill Switch), framework-specific bypasses (Flutter, React Native, Xamarin), and troubleshooting non-standard pinning implementations. Base models miss framework-specific hook points and multi-layer pinning configurations. ## 0. RELATED ROUTING Before going deep, consider loading: - [android-pentesting-tricks](../android-pentesting-tricks/SKILL.md) for broader Android testing beyond SSL bypass - [ios-pentesting-tricks](../ios-pentesting-tricks/SKILL.md) for broader iOS testing beyond SSL bypass - [api-sec](../api-sec/SKILL.md) once traffic is intercepted for API-level testing --- ## 1. SSL PINNING TYPES | Pinning Type | What Is Pinned | Resilience | Common In | |---|---|---|---| | Certificate pinning | Exact leaf certificate (DER/PEM) | Low (breaks on cert rotation) | Legacy apps | | Public key pinning | Subject Public Key Info | Medium (survives cert renewal if key unchanged) | Modern apps | | SPKI hash pinning | SHA-256 of SPKI | Medium (same as public key) | OkHttp, AFNetworking | | CA pinning | Intermediate or root CA cert | High (any cert from that CA works) | Enterprise apps | | Multi-pin (backup pins) | Primary + backup pins | High (fallback pins) | HPKP-aware apps | ### How Pinning Works ``` TLS Handshake │ ├── Server presents certificate chain │ ├── Standard validation (system trust store) │ └── Passes? continue : connection fails │ └── Pin validation (app-level check) ├── Extract server cert/pubkey/SPKI hash ├── Compare against embedded pins └── Match found? → allow : → reject connection ``` --- ## 2. ANDROID BYPASS METHODS ### 2.1 Frida Universal SSL Bypass ```javascript // Hooks TrustManager, OkHttp, Volley, Retrofit, Conscrypt Java.perform(function() { // ── TrustManagerImpl (Android system) ── try { var TMI = Java.use('com.android.org.conscrypt.TrustManagerImpl'); TMI.verifyChain.implementation = function() { console.log('[Bypass] TrustManagerImpl.verifyChain'); return arguments[0]; // return untouched chain }; } catch(e) {} // ── X509TrustManager (custom implementations) ── var TrustManager = Java.registerClass({ name: 'com.bypass.TrustManager', implements: [Java.use('javax.net.ssl.X509TrustManager')], methods: { checkClientTrusted: function() {}, checkServerTrusted: function() {}, getAcceptedIssuers: function() { return []; } } }); var SSLContext = Java.use('javax.net.ssl.SSLContext'); SSLContext.init.overload('[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom') .implementation = function(km, tm, sr) { console.log('[Bypass] SSLContext.init'); this.init(km, [TrustManager.$new()], sr); }; // ── OkHttp3 CertificatePinner ── try { var CP = Java.use('okhttp3.CertificatePinner'); CP.check.overload('java.lang.String', 'java.util.List').implementation = function() { console.log('[Bypass] OkHttp3 CertificatePinner.check: ' + arguments[0]); }; // check$okhttp variant (OkHttp 4.x) try { CP['check$okhttp'].implementation = function() {}; } catch(e) {} } catch(e) {} // ── Retrofit / OkHttp interceptor ── try { var OkHttpClient = Java.use('okhttp3.OkHttpClient$Builder'); OkHttpClient.certificatePinner.implementation = function(pinner) { console.log('[Bypass] Ok