Disabling OkHttp’s SSL Pinning on Android Apps

Using the Android emulator with a proxy.

Decompiling the App

First, you need to decompile the app. Apktool works great for this, and it’s available on all platforms. Follow the install instructions and then decompile the APK.

Decompiling an app with apktool.

Removing the pin

Next, you’ll need to remove the pinned certificate from the application. It’s easiest to use grep to look for “CertificatePinner”.

Finding uses of CertificatePinner with grep.
Adding a certificate in Smali.

Rebuilding the APK

After you’ve removed the SSL pinning, rebuild the APK using apktool. You’ll have to zipalign the APK and resign it with your signing key to get Android to accept it.

Rebuilding the APK.
Generating a key using keytool.

--

--

I’m a cybersecurity consultant who develops software. I help agile teams deliver secure digital experiences to their customers.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jonathan Cooper

Jonathan Cooper

264 Followers

I’m a cybersecurity consultant who develops software. I help agile teams deliver secure digital experiences to their customers.