Scraping Central is reader-supported. When you buy through links on our site, we may earn an affiliate commission.

3.48expert6 min read

SSL Pinning, Concepts and Approaches

When the app hardcodes its server's certificate, mitmproxy alone isn't enough. The bypass landscape: Frida, objection, custom builds, and emulator-only realities.

What you’ll learn

  • Explain what SSL pinning is and why apps use it.
  • Diagnose pinning from symptoms (TLS errors despite mitmproxy CA trusted).
  • Survey bypass approaches: Frida hooks, objection scripts, repacked APKs.
  • Understand the ethical and legal limits.

You've installed the mitmproxy CA cert. The phone trusts it. mitmproxy is running. But the target app's traffic doesn't appear in mitmweb, or shows a TLS handshake error.

You've hit SSL pinning.

What it is

SSL pinning is an app-side check: in addition to the OS's trust store (which now trusts mitmproxy), the app validates the server's certificate against a hardcoded value. Either:

  • Cert pinning, the exact public key or full cert is bundled with the app.
  • Public-key pinning, only the public key is checked.
  • CA pinning, only certs signed by a specific CA are accepted.

mitmproxy's fake cert doesn't match any of these. The app's pinning check fails. The connection drops.

This isn't a network problem; it's an application-layer check.

How to diagnose

Symptoms:

  • App says "Network error" or "Connection failed" with mitmproxy in the path.
  • Same app works fine without the proxy.
  • Other apps DO show up in mitmproxy, pinning is per-app.
  • mitmproxy log shows TLS handshake completed normally; app simply doesn't trust the cert.

If web traffic works through mitmproxy on the same device but the app's traffic doesn't, pinning is the likely cause.

Bypass approaches

Several options, increasing in complexity.

Option 1: Use an emulator

Pinning is often easier to bypass on an emulator:

  • Android Emulator with magisk + LSPosed + a pinning-bypass module, relatively common pattern.
  • iOS Simulator, pinning code paths sometimes branch differently; some apps don't pin in simulator builds.

Try the emulator first. Free if it works.

Option 2: Frida

Frida is a dynamic instrumentation toolkit. You inject a JavaScript hook into the running process that overrides the pinning check.

pip install frida-tools
frida-ps -Uai  # list running apps
frida -U -l unpin.js -f com.example.app

unpin.js overrides the methods that perform pinning. Many pre-written scripts exist:

  • frida-multiple-unpinning, covers OkHttp, TrustManagerImpl, AFNetworking, SSL Kill Switch.
  • Various platform-specific bypass scripts on GitHub.

Frida requires:

  • A rooted Android device (or emulator).
  • For iOS: jailbroken, or a re-signed IPA with Frida gadget injected.

Option 3: objection

objection is a higher-level wrapper around Frida focused on mobile pen-testing:

pip install objection
objection -g com.example.app explore
android sslpinning disable

Runs Frida hooks for common pinning implementations automatically. Often the first thing to try after Frida-bypass scripts.

Option 4: Custom-build / patched APK

Decompile the APK with apktool, find the pinning code, replace with a no-op, repack, sign, install. Permanent in the modified app; doesn't require runtime hooks.

Tools: apktool, jadx, uber-apk-signer.

This is invasive and breaks app updates; useful for long-term scraping of a stable target.

Option 5: Network-level workaround

Some apps pin only specific connections (the auth API) but not others. Capture what you can; reverse-engineer the auth flow from the unpinned endpoints; reconstruct the protected calls externally.

Option 6: BurpSuite / Charles certs

A few apps pin against any cert not signed by a specific CA. Burp Suite and Charles can issue certs signed by user-installed CAs that match this expectation in some cases.

Option 7: Repackaged with pinning library disabled

If the app uses OkHttp or AFNetworking, you can sometimes:

  • Hook the certificate validation function.
  • Replace the pinning library's class with a permissive shim.
  • Use a network_security_config.xml override (Android only, and only if the app respects it).

When pinning is genuinely insurmountable

Some apps combine pinning with:

  • Anti-tamper detection (refuses to run if patched/rooted).
  • Native-code pinning (the pinning runs in C, not Java).
  • Runtime integrity checks (refuses to start if Frida is present).
  • Encrypted pinning (the pinned cert is encrypted with a key derived from runtime state).

Banking apps, payment apps, healthcare apps often have all five. These are designed to resist a determined attacker. As a scraper, you're at the wrong end of the cost curve, accept and find another data source.

Ethics and legality, this lesson's serious section

Bypassing SSL pinning is meaningfully more ethically and legally fraught than other scraping techniques:

  • You're circumventing a security measure intentionally placed by the app developer. In some jurisdictions (US CFAA, UK CMA), this is a stronger violation than scraping a website.
  • App ToS almost universally forbid it. "Tampering," "reverse engineering," and similar clauses are standard.
  • Financial / healthcare apps are special. Bypassing pinning on a banking app is a serious offense regardless of your intent. Don't.
  • Research and security testing are different. Penetration testers do this under contract; that's legitimately a different legal posture than scraping.

When in doubt, don't. Scraping pinned mobile apps is the most legally exposed corner of the entire curriculum.

Realistic scraper use cases

The narrow, defensible use cases:

  • Your own apps. If you own the backend, bypassing your own pinning to debug is fine.
  • Research with permission. Authorized penetration tests, academic research with disclosure agreements.
  • Personal data extraction. Some jurisdictions (notably the EU under GDPR) explicitly allow extracting your own data, that may justify hooking your own session.

For commercial scraping of third-party apps, pinning is usually a "stop" signal. Find another path.

The bypass workflow (when you've decided it's justified)

  1. Confirm pinning via the diagnostic symptoms.
  2. Choose your platform (emulator first; physical device only if you must).
  3. Try objection, it covers common cases automatically.
  4. If objection fails, drop to Frida with a manual script targeting the app's specific pinning implementation.
  5. As a last resort, repack the APK with the pinning code patched out.
  6. Document the bypass; share if appropriate (responsible disclosure).

Tools and references

  • Frida, frida.re. The de-facto runtime instrumentation tool.
  • objection, github.com/sensepost/objection. Pen-testing wrapper.
  • frida-multiple-unpinning, github.com/m0bilesecurity/Frida-Multiple-Bypass.
  • apktool, jadx, APK decompilation.
  • HTTP Toolkit, has built-in Android pinning bypass for some popular apps.

Hands-on lab

This is a conceptual lesson, Catalog108 doesn't ship a real mobile app. As an exercise: set up an Android emulator with objection. Pick a non-financial, non-personal-data app you have an account on (a news app, a podcast app). Try android sslpinning disable and see whether capture works through mitmproxy. The technique compounds; the legal awareness needs equal investment.

Quiz, check your understanding

Pass mark is 70%. Pick the best answer; you’ll see the explanation right after.

SSL Pinning, Concepts and Approaches1 / 8

What is SSL pinning?

Score so far: 0 / 0