Bypassing Android SSL Pinning

I was testing a certain app, using Burp setup using a proxy in the Android Device.I could see the other requests being made but not even a single request could be seen belonging to the domain of the app.

Switching to static analysis mode, I quickly decompiled the app using Dex2Jar and searched for the string x.509 which yielded a result.

It was referring to a raw resource. Then browsing the output directory of APKTool I jumped to the /res/raw/ folder. There was a .crt file present.

Then in the proxy tab of the Burp Suite under the "Options" tab, there is an option to export the public key. Using that option to directly export the certificate to the /res/raw/ folder with the same name that existed previously.

The app is rebuilt using the apktool b foldername and the app is then resigned

A key is generated.(Only Once)

keytool -genkey -v -keystore my.keystore -keyalg RSA -keysize 2048 -validity 10000 -alias app

Fill in the details asked for then sign the APK using this key.

apksigner sign --ks my.keystore name.apk

The signing process can be verified using apksigner verify name.apk

It is then installed via adb adb install name.apk and we are able to intercept the requests now. The same key generated in the first step can be used to sign other apps as well. You must remember the password you used while creating it to do so.

SSL Pinning can be achieved in many ways and this is just one of them. If you need any help in solving a different implementation I would be happy to collaborate. Contact me on my twitter handle.