Certificate pinning — the practice of hardcoding expected server certificates or public keys into a mobile application — has been a cornerstone of mobile API security for a decade. The cat-and-mouse game between pinning implementations and bypass tooling has escalated considerably in the past two years.
The Standard Bypass Toolkit
Frida remains the most powerful instrument for certificate pinning bypass. The dynamic instrumentation toolkit allows runtime hooks into any function in a running process. The frida-ios-dump and Objection frameworks provide pre-built scripts targeting common implementations including OkHttp, TrustKit, and iOS URLSession.
Objection's ios sslpinning disable and android sslpinning disable commands work against a substantial proportion of consumer applications. In our testing against 28 mobile applications, these commands successfully bypassed pinning in 19 without any customisation required.
What's Actually Hardened in 2025
Applications implementing pinning at the native code level — using JNI in Android or Swift with custom URLSessionDelegate implementations and obfuscated validation logic — require significantly more effort. We have encountered applications that validate certificate hashes in native libraries compiled with LLVM obfuscation.
Android 15 and the Conscrypt Layer
Android 15's Network Security Configuration with certificate transparency enforcement adds a layer that older bypass techniques do not address. Our updated Frida scripts target OpenSSLSocketImpl directly to handle Conscrypt-level pinning.
Developer Recommendations
- Implement pinning at the native code level rather than through framework abstractions
- Combine public key pinning with backup pin sets to survive certificate rotation
- Layer anti-tampering and root/jailbreak detection to raise the cost of bypass
- Conduct MASVS-aligned mobile penetration tests at least annually and after major releases