Bypassing Predefined SSL Pins for Specific Hosts in Android (okhttp3)

We covered detailed steps to bypass SSL pinning in Android apps in our last two posts.
👉 How to Bypass SSL Pinning on Non-Rooted Devices
https://www.tg-me.com/TDOhex/478
👉 How to Bypass SSL Pinning on Non-Rooted Devices Using VPhoneOS
https://www.tg-me.com/TDOhex/477

However, custom implementations often require manual handling, so in this post we’ll discuss those very techniques.

How okhttp3 Pins Certificate

There are several ways to configure pins, but here we’ll use an okhttp3 example. In okhttp3, pins for specific hosts are set up like this:

CertificatePinner pinner = new CertificatePinner.Builder()
    // SHA‑256 hashes for example.com (current + backup)
    .add("example.com",
         "sha256/YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=",
         "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=")
    // Wildcard pin for subdomains (SHA‑256 only)
    .add("*.api.example.com",
         "sha256/BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=")
    .build();

OkHttpClient client = new OkHttpClient.Builder()
    .certificatePinner(pinner)
    .build();

Here, the CertificatePinner.Builder class is used to configure domain‑specific pins.
Point 1: CertificatePinner.Builder is an inner class of CertificatePinner.
Point 2: The .add() method takes two parameters: first, the host (or wildcard pattern) as a String. Second, one or more pin hashes as an array of Strings.
Point 3: During the TLS handshake, the check() and check$okhttp() methods of CertificatePinner validate the server’s certificate chain. If validation fails, an SSLPeerUnverifiedException is thrown—you’ll recognize it in Smali as Ljavax/net/ssl/SSLPeerUnverifiedException;.
Point 4:
* check() takes two parameters: a String and a List.
* check$okhttp() also takes two parameters: a String and a kotlin.jvm.functions.Function0 (Smali signature: Ljava/lang/String;Lkotlin/jvm/functions/Function0;).

Hooking Pins Validation

If you remove or patch out the code in these methods (check,check$okhttp), pinning validation is effectively disabled—a simple workaround.

If the app is obfuscated, first identify the host that’s causing the TLS handshake error. Then apply the points above to locate the correct classes and methods. Once you find the inner class for CertificatePinner, you’ll also find its enclosing class—and thus the obfuscated check() and check$okhttp() methods.

Overriding Pins with ProxyPin

Rather than just disable pinning, you can override the existing pins by adding your own (e.g. ProxyPin). The .add() method’s documentation lists four requirements for pins:

1. They must encode the certificate’s public key information.
2. They must be in SHA‑1 or SHA‑256 digest form.
3. They must be Base64‑encoded.
4. They must be prefixed with sha1/ or sha256/.

Keeping these rules in mind, we extract both the SHA‑1 and SHA‑256 hashes from the ProxyPin certificate. We choose ProxyPin because it’s free, open‑source, and works on non‑rooted Android devices.

Command to extract SHA‑256:

openssl x509 -in /storage/emulated/0/Download/ProxyPinCA.crt -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

Result (with prefix):

sha256/GfB6ZlY1jVATHuHD9H9FW/NYhPoHU1QGg0rGV/C+2u4=

SHA‑1 extraction:

openssl x509 -in /storage/emulated/0/Download/ProxyPinCA.crt -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha1 -binary | openssl enc -base64

Result (with prefix):

sha1/k1B+6mxfEO7tDT8N+e3ddHi/S0g=

Once you have these hashes, you can analyze and override the existing pins—wherever they reside (libraries, resources, or DEX files).

Note: We have used these methods on many banking, OTT, and other apps. However, apologies, due to Telegram's rules, we cannot provide practical examples for this. If you become familiar with Matrix, let us know. We can have open discussions there.

━━━━━━━━━━━━━━━
📣 Main Channel: @TDOhex
📱Second Channel: @Android_Patches
💬 Discussion Group: @TDOhex_Discussion
━━━━━━━━━━━━━━━