performing-mobile-app-certificate-pinning-bypass

Featured

Bypasses SSL/TLS certificate pinning implementations in Android and iOS applications to enable traffic interception during authorized security assessments. Covers OkHttp, TrustManager, NSURLSession, and third-party pinning library bypass techniques using Frida, Objection, and custom scripts. Activates for requests involving certificate pinning bypass, SSL pinning defeat, mobile TLS interception, or proxy-resistant app testing.

AI & Automation 16,326 stars 1981 forks Updated 2 weeks ago Apache-2.0

Install

View on GitHub

Quality Score: 97/100

Stars 20%
100
Recency 20%
90
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Performing Mobile App Certificate Pinning Bypass ## When to Use Use this skill when: - Mobile app refuses connections through a proxy due to certificate pinning - Performing authorized security testing requiring HTTPS traffic interception - Assessing the strength and bypass difficulty of pinning implementations - Evaluating defense-in-depth of mobile app network security **Do not use** to bypass pinning on apps without explicit testing authorization. ## Prerequisites - Burp Suite configured as proxy with listener on all interfaces - Rooted Android device or jailbroken iOS device - Frida server running on target device - Objection installed (`pip install objection`) - Target app installed and reproducing the pinning behavior ## Workflow ### Step 1: Identify Pinning Implementation **Android pinning methods to identify:** ``` 1. Network Security Config (res/xml/network_security_config.xml) <pin-set> with certificate hash pins 2. OkHttp CertificatePinner CertificatePinner.Builder().add("api.target.com", "sha256/...") 3. Custom TrustManager X509TrustManager overrides in code 4. Third-party libraries - TrustKit - Certificate Transparency checks ``` **iOS pinning methods:** ``` 1. NSURLSession delegate (URLSession:didReceiveChallenge:) 2. ATS (App Transport Security) with custom trust evaluation 3. TrustKit framework 4. Alamofire ServerTrustPolicy 5. Custom SecTrust evaluation ``` ### Step 2: Bypass with Objection (Quickest Approach) ```bash # Android ...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
2 weeks ago
Language
Python
License
Apache-2.0

Bundled in these plugins

cybersecurity-skills

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

intercepting-mobile-traffic-with-burpsuite

Intercepts and analyzes HTTP/HTTPS traffic from mobile applications using Burp Suite proxy to identify insecure API communications, authentication flaws, data leakage, and server-side vulnerabilities. Use when performing mobile application penetration testing, assessing API security, or evaluating client-server communication patterns. Activates for requests involving mobile traffic interception, Burp Suite mobile proxy, API security testing, or mobile HTTPS analysis.

16,326 Updated 2 weeks ago
mukul975
AI & Automation Featured

analyzing-ios-app-security-with-objection

Runtime iOS app security testing with Objection (Frida): inspect keychain and filesystem data, explore app internals at runtime, and validate/bypass client-side protections during authorized mobile assessments.

16,326 Updated 2 weeks ago
mukul975
AI & Automation Featured

performing-ios-app-security-assessment

Performs comprehensive iOS application security assessments using Frida for dynamic instrumentation, Objection for runtime exploration, SSL pinning bypass for traffic interception, keychain extraction for credential analysis, and IPA static analysis for binary-level review. Use when conducting authorized iOS penetration tests, evaluating mobile app security posture against OWASP MASTG, or assessing iOS app data protection and transport security controls. Activates for requests involving iOS app pentesting, Frida-based iOS instrumentation, mobile app SSL pinning bypass, or IPA reverse engineering.

16,326 Updated 2 weeks ago
mukul975