Mobile TLS Pinning Bypass.

The category of techniques used to disable certificate pinning in a mobile app — typically via Frida or Objection hooks on platform TLS APIs — so a pen-tester or attacker can run a man-in-the-middle proxy and inspect API traffic. Cette notion relève de la catégorie Sécurité mobile en cybersécurité.

The category of techniques used to disable certificate pinning in a mobile app — typically via Frida or Objection hooks on platform TLS APIs — so a pen-tester or attacker can run a man-in-the-middle proxy and inspect API traffic.

Many mobile apps implement TLS certificate (or public-key) pinning to ensure that traffic to a known backend cannot be intercepted by a CA-issued certificate the user trusts. Pinning is the right default for any high-value app, but it also blocks legitimate traffic inspection by mobile pen-testers, fraud analysts, and AppSec teams. Mobile TLS pinning bypass refers to the set of techniques used to disable pinning at run-time inside a controlled test environment, almost always with Frida or its higher-level wrapper Objection: hooks on Android's `X509TrustManagerExtensions.checkServerTrusted`, `okhttp3.CertificatePinner.check`, and `WebViewClient.onReceivedSslError`; on iOS hooks on `SSLSetSessionOption`, `URLSession`'s authentication-challenge delegates, and TrustKit's `TSKPinningValidator`. Pre-canned scripts cover the common HTTP clients (OkHttp, Retrofit, AFNetworking, Alamofire). On the defensive side, MASVS controls require pinning, and apps targeting threat models that include hostile devices add hardware-backed attestation (Play Integrity, App Attest) plus integrity checks to detect Frida instrumentation; the resulting cat-and-mouse is one of the central themes of mobile AppSec.

Les défenses contre Mobile TLS Pinning Bypass combinent habituellement des contrôles techniques et des pratiques opérationnelles, comme détaillé dans la définition ci-dessus.

Noms alternatifs courants : Certificate pinning bypass, Frida pinning bypass.