iSEC Research Labs

SSL pinning bypass and other Android tools

13 Dec 2013 - Marc Blanchou

iSEC is releasing several Cydia Substrate extensions to facilitate the black box testing of Android applications:


This tool hooks various methods in order to disable SSL certificate pinning, by forcing the Android application to accept any SSL certificate. Once installed, it works across all applications on a device. See the project page.


This tool disables signature and permission checks for Android IPCs. This can be useful to test internal or restricted IPCs in specific cases/scenarios. See the project page.


This extension makes all applications running on the device debuggable; once installed, any application will accept a debugger to attach to them. We originally wrote a different version that hooked on the class; however, MWR released a new technique last week involving a faster way to do it, which is what this Cydia Extension now uses. See the project page.