Android SSL Pinning Bypass

Tools Required. 1. apktool https://apktool.org/docs/install

2. uber-apk-signer https://github.com/patrickfav/uber-apk-signer/releases

  1. Network Security Configuration (BYPASS)

The network_security_config.xml file in Android is used to configure network security settings for an application. It allows developers to define security configurations related to network communication, such as specifying which certificates or certificate authorities (CAs) the app should trust, enforcing HTTPS, and configuring custom trust anchors.

We will abuse this functionality to bypass the SSL pinning, this approach also doesn’t require the devices to be rooted which is a plus point.

Reverse the app using apktool.


apktool d appname.apk

A new folder with the the application name would have been created, open up the folder and look for this file network_security_config.xml in the following directory: /res/xml/ if there is no file with this name create the file by yourself and add the following content.

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config>
    <trust-anchors>
        <certificates src="system" />
        <certificates src="user" />
    </trust-anchors>
</base-config>
</network-security-config>

The provided code will instruct the application to trust both system and user-installed certificates.

Modify the AndroidManifest.xml file located in the root of the reversed application folder, and add the following attribute in the <application> tag of the Manifest file. android:networkSecurityConfig=”@xml/network_security_config” If the network_security_config.xml was already present in the /res/xml/ directory then you don’t have to add this attribute as it would have been already there in the Manifest file but you can double-check.

Zoom image will be displayed

Figure 2: AndroidManifest.xml file

Rebuild the application with apktool.


apktool b <application_folder_name>

The new apk will be in the /dist directory of the reversed application folder, Sign the .apk with uber-apk-signer.


java -jar uber-apk-signer.jar -a /path/to/app.apk

A new apk will be generated with the following name. <app-name>-aligned-debugSigned.apk

Install the application into your Android device.

If you haven’t set up your proxy, follow the steps for setting up Burp Suite.

Setting Proxy on Android Device

  1. Open Burp Suite, and from the Proxy Settings tab, click on the Add button under the Proxy Listeners, enter any port, and select All interfaces.

Zoom image will be displayed

Figure 3: Adding new Proxy Listener.

2. From your PC open CMD/Terminal and enter ipconfig or ifconfig based on your OS.

Figure 4: IPv4 Address in Windows.

3. Note down your IPv4 address, In your Android device, if you are using a physical Android device, Go to Wifi > Connected Wifi Settings > Advance > Proxy > Manual. (This setting might vary based on your device) Now enter the IPv4 in the proxy host name and Proxy port that you added in the Burp suite.

Figure 4: Setting proxy in Android device.

4. If you are using an emulator like Android Studio, start your Emulator and click on the three dots on the side of the emulator to open settings and click on Settings > Proxy, Select Manual proxy configuration. In the Hostname add your IPv4 and in the Port number add the port.

Zoom image will be displayed

Figure 5: Setting proxy in the emulator.

5. To verify whether the proxy is working open the Browser from the Android device, and visit http://burp in some cases http://burp might not work so type your PC IPV4 address like this: http://192.168.0.111:8084, if you see this page then your proxy is working.

Figure 6: Proxy test.

6. Now from Burp Suite, go to the Proxy > Proxy Settings and click on the Import / Export CA Certificate button under Proxy Listeners. Under Export select the Certificate in DER format and click on Next, save the certificate with the .cer extension.

Zoom image will be displayed

Figure 7: Exporting the certificate in DER format.

7. Copy the .cer certificate into your Android device, and install the certificate from the settings. Open your device settings and search for the certificate, click on the Install certificates from the search results, and select the .cer Certificate to install. This process is the same for both the physical and emulator devices.

8. Open your device Browser to check whether the certificate is successfully installed and we can intercept the HTTPS traffic, Turn on the Burp Intercept, and from the device browser search for google.com.

Zoom image will be displayed

Figure 8: Intercepting HTTPS traffic.

Now as the proxy is set, start your patched apk to intercept the traffic.

Zoom image will be displayed

Figure 9: Intercepting patched apk traffic.
PreviousDynamic AnalysisNextAndroid App SSL Pinning Bypass [NoxPlayer + nox_adb + Frida + Objection]

Last updated