Certificate pinning — the practice of hardcoding expected server certificates or public keys into a mobile application — has been a cornerstone of mobile API security for a decade. The cat-and-mouse game between pinning implementations and bypass tooling has escalated considerably in the past two years, driven by platform changes in iOS 18 and Android 15, more sophisticated obfuscation in security-conscious applications, and improved tooling on both sides.
The Standard Bypass Toolkit
Frida remains the most powerful instrument for certificate pinning bypass. The dynamic instrumentation toolkit allows runtime hooks into any function in a running process — including the TLS validation routines responsible for certificate checking.
Objection, built on Frida, provides pre-built scripts targeting common implementations including OkHttp3, TrustKit, Retrofit, and iOS URLSession. The key commands:
# iOS
objection --gadget "TargetApp" explore
ios sslpinning disable
# Android
objection --gadget "com.target.app" explore
android sslpinning disable
In our testing against 28 mobile applications across banking, healthcare, and enterprise categories, these commands successfully bypassed pinning in 19 applications without any customisation required.
The 9 applications that resisted required custom Frida scripts, reverse engineering of native libraries, or physical device testing to circumvent additional security controls layered alongside pinning.
What's Actually Hardened in 2025
Applications implementing pinning at the native code level represent meaningfully harder targets:
- Android JNI implementations — pinning logic in a native library (
.sofile) rather than Java/Kotlin is harder to hook. Frida can still attach, but identifying the correct function offset requires static analysis of the binary first. - iOS Swift with obfuscated URLSessionDelegate — custom
URLSessiondelegate implementations that validate certificate hashes in Swift, compiled with obfuscation passes, require decompilation to understand the validation logic before writing a bypass. - LLVM-obfuscated binaries — we have encountered applications that validate certificate hashes in native libraries compiled with commercial LLVM obfuscation. These require significant reverse engineering effort before a bypass can be written.
A useful heuristic: if objection's standard commands fail and you can't find obvious certificate validation logic using class-dump or jadx, you're likely dealing with native code pinning.
Android 15 and the Conscrypt Layer
Android 15's updated Network Security Configuration with certificate transparency enforcement adds complexity that older bypass techniques do not address.
Android's TLS stack uses Conscrypt — a Java Security Provider backed by BoringSSL. Applications that rely on the platform TLS stack are pinning through Conscrypt's OpenSSLSocketImpl. Standard Frida scripts that hook the Java-layer TLS methods may miss implementations that operate at the Conscrypt level.
Our updated approach targets OpenSSLSocketImpl directly:
// Frida script — Conscrypt-level bypass (Android 15)
Java.perform(function() {
const OpenSSLSocketImpl = Java.use('com.android.org.conscrypt.OpenSSLSocketImpl');
OpenSSLSocketImpl.verifyCertificateChain.implementation = function(certRefs, authMethod) {
// bypass: do nothing, accept any chain
};
});
This approach has been effective against all Conscrypt-level implementations we've tested. Note that some applications additionally implement X509TrustManager custom implementations — both hooks may be necessary.
iOS 18 — Trust Store Changes
Apple's changes to the trust evaluation chain in iOS 18 have minor but notable implications for bypass tooling:
- The
SecTrustEvaluateWithErrorAPI is now the standard path. Applications still using the deprecatedSecTrustEvaluatemay behave differently — some bypass scripts target one or the other. - Applications implementing pinning via
URLSession'sdidReceiveChallengedelegate method remain bypassable via Frida hooks onNSURLSession. - Applications using
Network.framework(NWConnection) require hooks at a different layer —nw_connection_copy_protocol_metadataand the TLS protocol options.
Physical Device vs Emulator
For hardened applications with root/jailbreak detection:
- Android — test on a physical device rooted with Magisk + MagiskHide (or its successors). Emulators are increasingly detected. For the most hardened applications, consider a custom Android build with
ro.debuggable=1. - iOS — jailbreak detection is harder to bypass than certificate pinning in many high-security applications. Palera1n on iOS 16 remains more reliable than jailbreaks for iOS 17/18. For applications that detect popular jailbreaks,
Liberty LiteandShadowcan suppress detection.
Developer Recommendations
The goal for developers is not to make certificate pinning unbypassable — determined attackers with physical access to a device will always have options. The goal is to raise the cost sufficiently that casual interception is impossible and targeted attacks require significant expertise and effort.
- Implement pinning at the native code level rather than through framework abstractions — this alone increases bypass difficulty dramatically
- Combine public key pinning with backup pin sets to survive certificate rotation without releasing a new app build
- Layer anti-tampering and root/jailbreak detection to raise the cost of bypass — not as the sole defence, but as friction
- Use certificate transparency logging for all issued certificates, so unexpected certificates for your domains are detectable
- Conduct MASVS-aligned mobile penetration tests at least annually and after major releases — the tooling evolves quickly and last year's "secure" implementation may be bypassable today
The applications we cannot bypass in a standard engagement are not those with the most sophisticated pinning — they're the ones with defence-in-depth: pinning plus native obfuscation plus integrity checks plus anomaly detection on the server side for unusual API usage patterns.
References
Frequently Asked Questions
Does Frida still bypass certificate pinning in 2025?
Yes, for the majority of consumer applications. Objection's 'ios sslpinning disable' and 'android sslpinning disable' commands work against a substantial proportion of apps. In testing against 28 mobile applications, these commands bypassed pinning in 19 without any customisation. The remaining 9 required custom Frida scripts targeting native code implementations.
What certificate pinning implementation is hardest to bypass?
Applications implementing pinning at the native code level — using JNI in Android or Swift with custom URLSessionDelegate implementations with obfuscated validation logic — require significantly more effort. LLVM-obfuscated native libraries with hash validation are the most resistant implementations we encounter.
What should developers do to implement certificate pinning correctly?
Implement pinning at the native code level rather than through framework abstractions, combine public key pinning with backup pin sets to survive certificate rotation, layer anti-tampering and root/jailbreak detection to raise the cost of bypass, and conduct MASVS-aligned mobile penetration tests at least annually and after major releases.
Is certificate pinning still required for OWASP MASVS compliance?
OWASP MASVS-NETWORK-2 requires certificate pinning for high-assurance applications (L2 level). Standard mobile apps may comply at L1 without pinning, but financial, healthcare, and government applications typically must implement pinning to meet sector regulatory expectations and OWASP MASTG verification requirements.
Can we use certificate transparency monitoring instead of pinning?
CT monitoring is a useful complementary control — it lets you detect unexpected certificates issued for your domains — but it does not protect the user. If a rogue certificate is issued and used in an attack, CT logs help you investigate after the fact. Pinning prevents the attack in the first place. The two controls serve different purposes.
Does pinning protect against man-in-the-middle attacks on user devices?
Pinning protects against MITM where the attacker controls the network but not the device. It does not protect against device compromise (rooted/jailbroken devices where the attacker can hook the runtime), social engineering that installs malicious root CAs, or supply chain attacks against the application itself. It is one layer of defence, not a complete solution.
How long does a mobile app security audit take?
A MASVS L1 assessment typically takes 5–8 working days per platform (iOS, Android separately). L2 assessments with detailed binary analysis, runtime testing, and backend API review run 10–15 working days per platform. Most clients book both platforms simultaneously for a 3–4 week engagement.