👨‍🏫 Tutorial How to bypass SSL Pinning on Non-rooted Devices [2025]

[Rectify]

overridePins: The overridePins attribute is used within the <certificates> tag under the <trust-anchors> element in an Android network security configuration file. Its purpose is to bypass SSL/TLS certificate pinning.
- When set to overridePins="true", it allows the app to trust user-installed certificates even if the app has certificate pinning enabled.

Example context:

<certificates
    src="user"
    overridePins="true"
/>

Here, the app will trust user-added certificates and bypass any certificate pinning rules defined in the app.
Documentation:
You do not have permission to view the full content of this post. Log in or register now.

Step-by-Step Guide:
1. Install and Configure ProxyPin on Your Device:
For ProxyPin:
You do not have permission to view the full content of this post. Log in or register now.

• Open the ProxyPin app.
• Tap the three dots in the top-right corner of the first page.
• Select HTTPS Proxy from the menu.
• Turn on Enable HTTPS Proxy in ProxyPin settings.

2. Install SSL Certificates:

• Tap Install Certificate and follow the in-app instructions.
• Download and install ProxyPin’s User Certificate from the app.
• The file ProxyPinCA.crt should be installed under CA Certificate in the Install a Certificate option.

3. Modify the App’s Network Security Config:
- Tool Recommend: MT Manager.
For MT Manager:
You do not have permission to view the full content of this post. Log in or register now.

3.1 Decompile the Target APK:

• Use MT Manager to open the APK.
• Navigate to res/xml/network_security_config.xml.

3.2 Update/Create the Config File:
- If network_security_config.xml already exists add this configuration:

<!-- Add user trust anchor with pin override -->
<trust-anchors>
    <certificates src="system"/>
    <certificates src="user" overridePins="true"/>
</trust-anchors>

- If the file does NOT exist:
A. Create new network_security_config.xml in /res/xml/:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <base-config
        cleartextTrafficPermitted="true">
        <trust-anchors>
            <certificates
                src="system"/>
            <certificates
                overridePins="true"
                src="user"/>
        </trust-anchors>
    </base-config>
    <debug-overrides>
        <trust-anchors>
            <certificates
                src="system"/>
            <certificates
                overridePins="true"
                src="user"/>
        </trust-anchors>
    </debug-overrides>
</network-security-config>

B. Add the XML Entry via MT Manager:

• Use the Arsc Editor feature in MT Manager and navigate to the XML section of the target app. You will see XML entries there.
• To create a new entry, click on the three dots in the top-right corner and select the Add option.
• In the first box, the entry ID will be automatically calculated, and in the second box, enter the new entry name network_security_config and click the OK button. A new entry will be created.
• Then, to set its path, click on the new entry network_security_config.
• Replace the path in the Content box res/xxxx with this path: res/xml/network_security_config.xml.
• Finally, click the OK button.
• Your new entry has been successfully created.

C. Link to AndroidManifest.xml:
- Open the AndroidManifest.xml file and add the following line within the <application:
android:networkSecurityConfig="@ResourceID".
- In ResourceID, use the ID that was automatically calculated when you created the new entry of network_security_config.

4. Now, you can capture traffic from the target app using the ProxyPin app on non-rooted devices

 

[Castieeel]

thanks ts support

 

[elsenyor68]

Thanks sa share

 

[Misanthropy]

thanks, pwede rin frida