Blackbox tool to bypass SSL certificate pinning for most applications running on a device.
This tool leverages Cydia Substrate to hook various methods in order to bypass certificate pinning by accepting any SSL certificate.
- Ensure that Cydia Substrate has been deployed on your test device. The installer requires a rooted device and can be found on the Google Play store at https://play.google.com/store/apps/details?id=com.saurik.substrate&hl=en
- Download the pre-compiled APK available at https://github.com/iSECPartners/Android-SSL-TrustKiller/releases
Install the APK package on the device:
adb install Android-SSL-TrustKiller.apk
Add the CA certificate of your proxy tool to the device's trust store.
Use only on a test devices as anyone on the same network can intercept traffic from a number of applications including Google apps. This extension will soon be integrated into Introspy-Android (https://github.com/iSECPartners/Introspy-Android) in order to allow you to proxy only selected applications.