Articles

Bypass iOS SSL Pinning with Burp Suite (2026)

April 16, 2026 4 min read

Bypassing SSL pinning on iOS is less about tricking the app and more about tricking your device into thinking it’s the trusted endpoint.

Let’s see this in action. Imagine you’re trying to inspect traffic from a banking app. Normally, the app checks if the certificate presented by the server is one it expects. If it’s not (like a proxy’s certificate), it bails.

Here’s the setup:

  1. Install Burp Suite: Get Burp Suite Professional running on your laptop.
  2. Configure Burp Proxy: In Burp, go to Proxy -> Options. Note the Bind to port (e.g., 8080). Ensure Support invisible proxying is checked.
  3. Configure iOS Device:
    • On your iOS device, go to Settings -> Wi-Fi.
    • Tap the i next to your connected Wi-Fi network.
    • Scroll down to HTTP PROXY and select Configure Proxy -> Manual.
    • Enter your laptop’s IP address for Server and 8080 for Port.
  4. Install Burp CA Certificate on iOS:
    • On your iOS device, open Safari and navigate to http://burp.example.com (or whatever your Burp Suite hostname is configured to).
    • Download the Burp CA certificate.
    • Go to Settings -> General -> Profile and install the downloaded certificate.
    • Crucially, go to Settings -> General -> About -> Certificate Trust Settings and enable full trust for the "PortSwigger CA" certificate. Without this, your device won’t trust the proxy.

Now, when the app makes a request, it goes to Burp, Burp decrypts it, forwards it to the real server, gets the response, re-encrypts it, and sends it back to the app. This is the ideal flow.

But SSL pinning breaks this. The app doesn’t just trust the CA; it expects a specific certificate (or a specific public key within it) from the server.

The goal here is to get the app to trust your proxy as if it were the legitimate server.

Here’s how you bypass it:

  1. Jailbreak your iOS Device: This is almost always a prerequisite. Tools like checkra1n or unc0ver can be used depending on your iOS version.

  2. Install libsslkeychain-ios (or similar Frida script): The most common method involves using Frida, a dynamic instrumentation toolkit. You’ll need to install Frida on your Mac/Linux machine and then inject a script into the target application on the jailbroken device. A popular script is sslkeychain-dump.js or similar ones that hook into SSL/TLS functions.

    • Frida Setup:
      pip install frida frida-tools
    • Find App Process:
      frida-ps -Uai
      Identify the bundle identifier of your target app (e.g., com.example.myapp).
    • Inject Script:
      frida -U -f com.example.myapp -l sslkeychain-dump.js --no-pause
      This command attaches Frida to the app process, loads the sslkeychain-dump.js script, and starts the app. The script will hook into functions like SSL_read and SSL_write to dump cryptographic material or disable certificate validation.

  3. Use a tool like objection: Objection is a post-exploitation framework built on top of Frida. It simplifies many common tasks, including SSL pinning bypass.

    • Install Objection:
      pip install objection
    • Launch Objection:
      objection -U --gadget com.example.myapp explore
    • Run Bypass Command: Inside the Objection shell, type:
      android instrumentation sslpinning disable
      (Yes, it’s android instrumentation even on iOS; Objection uses a consistent command structure for both platforms.)

The core mechanism behind these scripts is to hook into the application’s networking stack at a low level. When the app attempts to establish a secure connection and perform its certificate validation, the Frida script intercepts this process. It can either:

  • Disable Certificate Validation: The script directly modifies the function responsible for checking the certificate’s validity, causing it to always return "valid." This is the most straightforward approach.
  • Replace the Certificate: The script can intercept the certificate presented by the server and replace it with the Burp CA certificate that your iOS device already trusts. The app then "validates" against a certificate it’s been told to trust.
  • Dump Keys: Some scripts focus on dumping the session keys used for encryption, allowing you to then decrypt traffic using tools like Wireshark.

The most common method relies on hooking functions within the Secure Transport framework on iOS or OpenSSL if the app uses it directly. By overriding the return values of validation callbacks or by patching the code in memory to skip validation checks, the script effectively neuters the pinning mechanism. It’s not about tricking the app into accepting the wrong certificate; it’s about making the app not care if the certificate is wrong.

After successfully bypassing SSL pinning, the next challenge you’ll likely encounter is dealing with encrypted local storage or other application-specific security measures.

Want structured learning?

Take the full Burpsuite course →