Mobile TLS Pinning Bypass.

The category of techniques used to disable certificate pinning in a mobile app — typically via Frida or Objection hooks on platform TLS APIs — so a pen-tester or attacker can run a man-in-the-middle proxy and inspect API traffic. サイバーセキュリティの モバイルセキュリティ カテゴリに属します。

The category of techniques used to disable certificate pinning in a mobile app — typically via Frida or Objection hooks on platform TLS APIs — so a pen-tester or attacker can run a man-in-the-middle proxy and inspect API traffic.

Many mobile apps implement TLS certificate (or public-key) pinning to ensure that traffic to a known backend cannot be intercepted by a CA-issued certificate the user trusts. Pinning is the right default for any high-value app, but it also blocks legitimate traffic inspection by mobile pen-testers, fraud analysts, and AppSec teams. Mobile TLS pinning bypass refers to the set of techniques used to disable pinning at run-time inside a controlled test environment, almost always with Frida or its higher-level wrapper Objection: hooks on Android's `X509TrustManagerExtensions.checkServerTrusted`, `okhttp3.CertificatePinner.check`, and `WebViewClient.onReceivedSslError`; on iOS hooks on `SSLSetSessionOption`, `URLSession`'s authentication-challenge delegates, and TrustKit's `TSKPinningValidator`. Pre-canned scripts cover the common HTTP clients (OkHttp, Retrofit, AFNetworking, Alamofire). On the defensive side, MASVS controls require pinning, and apps targeting threat models that include hostile devices add hardware-backed attestation (Play Integrity, App Attest) plus integrity checks to detect Frida instrumentation; the resulting cat-and-mouse is one of the central themes of mobile AppSec.

Mobile TLS Pinning Bypass に対する防御は通常、上記の定義で述べたとおり、技術的統制と運用上の実践を組み合わせます。

一般的な別名: Certificate pinning bypass, Frida pinning bypass。