Android Application Pentesting—Bypass SSL Pinning | by Manoj Deshmukh | Mar, 2025

Overview:

This article gives you an extensive view on how to perform the penetration testing on the Android application and how to install all dependencies.

Android penetration testing involves assessing an application’s security by identifying vulnerabilities in its source code, binary files, and network traffic. There are two main approaches:

  • Static Analysis — Reviewing an application’s code and configuration files without executing it.
  • Dynamic Analysis: Running the application to monitor its behaviour and interactions in real time.

In this article, we will set up a dynamic testing lab using:

  1. A Rooted Android Emulator
  2. Frida Server
  3. Burp Suite

We need an Android emulator to run the target application for dynamic testing. We’ll use Android Studio to set up the emulator.

Download and install Android Studio from the official website: Android Studio. https://developer.android.com/studio

Once it is setup, open the android studio application, you will enter the dashboard

Android Studio dashboard

Open Android Studio and navigate to the Virtual Device Manager by clicking More > Virtual Device Manager.

Android Studio Dasgboard with access to Virtual Device manager

Once inside the Virtual Device Manager, you will see a blank screen, as shown in the screenshot below.

Divice Manager Dashboard

Click the “+” icon in the top-left corner and select a device. (Example: Pixel 7a).

Devices List for Emulator

Select an Android version for your emulator. (Example: Android Q (API 29)). Download the system image if required.

System Image fro Emulator

Name your emulator and complete the setup.

Final Settings to Setup emulator

Run the emulator and verify that it boots successfully.

Open Command Prompt and navigate to:

cd C:\Users\\AppData\Local\Android\Sdk\platform-tools

Check if the emulator is detected by running:

adb devices

You should see a connected device (e.g.,emulator-5554.

Download RootAVD from GitHub (works for API 30). https://github.com/newbit1/rootAVD

Change directory and run the following command to root your emulator:

rootAVD.bat
rootAVD.bat system-images\android-30\default\x86_64\ramdisk.img

Upon reboot, you should see the Magisk app installed, confirming the device is rooted.

Open Magisk, and when prompted, click OK to reboot.

Once rebooted, verify root access by running:

adb shell
su

Open Magisk, and when prompted, click Grant.

Once rebooted, verify root access by running:

whoami

Output should beroot, confirming successful rooting.

Open Burp Suite, navigate to Proxy Settings, and:

  • Edit the listener to listen on all interfaces.
  • Ensure port 8080 is selected

In the settings, edit the listener, set it to all listeners, and click OK.

ensure that *:8080 is set.

On the emulator, go to Wi-Fi settings:

Click Edit on your Wi-Fi network.

  • Select Manual Proxy.
  • Set the Proxy Hostname to your system’s IP address.
  • Set the Port to 8080.
  • Click Save.

Verify the connection: Open Chrome on the emulator and navigate to

http://burp

Download the Burp CA Certificate ().cacert.crt

Go to Settings > Install Certificates and installcacert.crt.

Click on Install Certificates

Select cacert.crt

Name the certificate and confirm the installation.

Open Chrome and visit any HTTPS website. The page should load without errors.

Go back to Burp Suite and check the HTTP request logs. You should see the captured requests.

Your rooted Android emulator is now configured to intercept traffic using Burp Suite. You can open applications and start intercepting network traffic. However, if the APK is signed with an SSL certificate, you will need to bypass SSL pinning to capture encrypted requests.

Step 4: Bypassing SSL Pinning with Frida

Install Frida on Your Host Machine. Run the following command:

pip3 install frida
frida --version

Ensure Frida is installed by verifying its version.

Go to GitHub Frida Releases and select the version that matches the one installed on your host machine. Locate the frida-server file and download the version corresponding to your emulator’s architecture (e.g., android-x86_64).

To find the archive, go to your device manager; there it will be mentioned.

Once it is downloaded, extract the file; you should see the file frida-server-16.6.1-android-x86_64

Push Frida Server to the emulator:

adb push frida-server /data/local/tmp/

Access the emulator shell

adb shell
su
cd /data/local/tmp/
chmod 777 frida-server
./frida-server

Change the file permissions chmod 777 frida-server and Run Frida server using “./frida-server”; this will run the Frida server in background.

Frida Server should now be running in the background.

Now it’s time to install the application and begin intercepting data.

Download the required APK file from APKCombo or install it directly from the Play Store.

adb install 

If downloaded on your phone, locate it in the Downloads folder and install it manually.

Now its time to install the application and intercept the data.

Once installed, open the terminal and run the following command to find the application’s package name:

adb shell pm list packages | findstr ""

Copy the full package name for further use.

Download an SSL bypass script (ssl.js) from GitHub.

Run Frida with the script:

frida -U -n  -l ssl.js --no-pause

Once the command is executed, the application will automatically launch in your emulator.

The application should launch automatically with SSL Pinning disabled.

Open the target application and perform some actions. In Burp Suite, check if the HTTPS requests appear. If intercepted, SSL Pinning has been successfully bypassed!

You have successfully:
1. Set up an Android Emulator for pentesting.
2. Rooted the emulator using Magisk.
3. Configured Burp Suite to intercept traffic.
4. Installed and used Frida to bypass SSL Pinning.

Now, you can perform dynamic application security testing and analyse network traffic for vulnerabilities.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top