Frida in Action: Bypassing Certificate Pinning on Android Emulator in 2025

Introduction

These days, it is not enough to just configure a proxy server with a custom certificate on your phone to intercept traffic from an Android application. The majority of modern phone apps are implementing so-called "certificate pinning," which renders all conventional approaches to getting traffic obsolete. However, there is a way to still get such traffic. First, let's understand what we are dealing with.

What is certificate pinning?

Certificate pinning is a technique used in Android and other applications by developers when a certificate is enforced on an application programmatically, thus making it impossible to override it with locally installed certificates.

Basically, how it works is when an application is connecting to its remote server using HTTPS, it first needs to verify that the server is the correct one through the mandatory certificate check. At this stage, the server provides the application with an SSL certificate, after which the application compares it to the hardcoded or "pinned" local certificate, and if it is recognized, secure communication can be established.

The key point here is that the certificate is hardcoded and strictly bound to the application at the development stage, even before the source code compilation process is completed. With such measures in place, the only way we can bypass this obstacle is to somehow alter the way the application works at runtime to override the pinned certificate and substitute it with our proxy server's certificate, therefore making the target application trust it and send traffic through. For that, we can use Frida.

What is Frida?

In essence, Frida is a code instrumentation toolkit that allows us to inject pieces of code into an application during runtime. While mostly used by reverse engineers and security specialists, it is a perfect tool for our use case. Even though it may sound complicated at first, there is nothing to worry about since Frida is already a battle-tested tool with dozens of pre-made scripts written by the community, so there is no need to know either coding or reverse engineering basics.

What do we need?

Before we begin, we will need a couple of things installed on our machine to complete this guide:

• Git for repository cloning
• Android Studio with an emulated device rooted by rootAVD
• Configured Mitmproxy and your rooted emulated device connected to it

Once you have everything above set up, you can proceed with this guide.

Getting CPU ABI

Frida has multiple supported versions for different systems, which is why it is important to decide exactly what version we need to download, because otherwise Frida just won't work if the version is not compatible with our device. For this reason, we will need to find our Android emulator device's CPU ABI (Application Binary Interface) name.

First, let's start our rooted Android emulator device.

To connect to it using ADB shell and enable root, just type the following commands in your bash terminal:

adb shell

su

You should see the following output:

MacBook ~ % adb shell
emulator64_arm64:/ $ su
emulator64_arm64:/ # 
            

Notice how the dollar sign changes to the hash sign, which means we have successfully enabled root shell for our device. If something is not working, try this guide.

Now let's get the CPU ABI name. To do that, just type the following command into ADB shell:

getprop ro.product.cpu.abilist

And you should see the following output:

emulator64_arm64:/ $ getprop ro.product.cpu.abilist
arm64-v8a

Perfect! Now we have the needed information to choose the correct Frida version.

Installing Frida

Frida itself consists of two parts:

• Frida server, which is going to run on our Android emulated device in order to change the application behavior.
• Frida package, which is installed on our computer, through which we are going to upload our behavior-changing scripts to the Frida server and, by extension, to our Android emulated device.

Let's start with the Frida server. First, let's open the official repository and look at the list of versions.

Let's see: our CPU ABI is arm64-v8a and we are looking for a Frida server for Android specifically, hence the correct version is the following one:

Next, we need to unzip the downloaded Frida server and upload it to your emulated Android device. To do that, turn on root privileges in your ADB shell if you haven't done that already, and then type the following command from your regular bash terminal:

adb push frida-server-17.2.14-android-arm64 /data/local/tmp/frida-server

After that, make it executable:

adb shell "chmod 755 /data/local/tmp/frida-server"

Then start the server by executing the following from inside your ADB shell:

./data/local/tmp/frida-server &

Great! Now our Frida server is running on the target device.

Finally, let's install the Frida package for code injection, which can be done by simply running these two commands in your bash terminal:

pip install frida-tools

Let's check that this package was correctly installed by running this command:

frida-ps -Uai

If you see all the processes running on your target device, then Frida has been successfully installed and configured. Example:

 PID   Name               Identifier                             
-----  -----------------  ---------------------------------------
17731  Booking.com        com.booking                            
24116  Google             com.google.android.googlequicksearchbox
24116  Google             com.google.android.googlequicksearchbox
17933  Google Play Store  com.android.vending                    
    -  Amazon Shopping    com.amazon.mShop.android.shopping      
    -  Calendar           com.google.android.calendar            
    -  Camera             com.android.camera2                    
    -  Chrome             com.android.chrome                     
    -  Clock              com.google.android.deskclock           
    -  Contacts           com.android.contacts                   
    -  Drive              com.google.android.apps.docs
            

Certificate unpinning

Finally, both the Frida server and Frida package are working, although Frida cannot magically override the behavior of the target app on its own since it requires a custom-made script which will be injected into the target application.

Fortunately for us, we won't need to learn reverse engineering from scratch to bypass certificate pinning, because there are already dozens of premade scripts written by experts in the field.

For the purpose of this guide, we are going to focus on Frida Mobile Interception Scripts.

These are general-purpose scripts which should be able to remove pinning from most Android applications. From that repository, we need the following files:

• config.js
• native-tls-hook.js
• android-certificate-unpinning.js
• android-certificate-unpinning-fallback.js

From these files, we need to modify only config.js, where we need to insert our mitmproxy certificate into the CERT_PEM variable. This will substitute the pinned certificate with our custom one, thus making it possible to view traffic that is going through our mitmproxy server.

When that is done, the only thing remaining is to decide which application's traffic we want to intercept. In order to target a specific app, we need to run it first and then get its identifier. You can do that by executing the frida-ps -Uai command again. I will go with the Booking application with identifier com.booking. As soon as the target app has been chosen, just run the following command in your bash terminal, with -f being your app identifier:

frida -U \   
-l ./config.js \
-l ./native-tls-hook.js \
-l ./android-certificate-unpinning.js \
-l ./android-certificate-unpinning-fallback.js \
-f com.booking

This command will restart the target application with the certificate already unpinned, which, in turn, allows us to view all the traffic going from the Booking app. It can be inspected through the configured mitmweb dashboard.

Conclusion

In conclusion, although the certificate pinning technique is a viable way of securing a mobile application's traffic, in most cases it is not enough to withstand Frida and properly written scripts for it. Nevertheless, some developers go the extra mile to secure their API endpoints and traffic by obfuscating the information about the certificate, so that standard scripts cannot access it that easily. However, it is usually only a matter of time before the obfuscation mechanism is revealed and the protection is bypassed. Thank you for reading! Please check out our other articles below.