Tool Release: SSL pinning bypass and other Android tools

This research was originally performed by researchers from iSec Partners (now NCC Group), and has been migrated to for posterity, and can be downloaded below.

SSL pinning bypass and other Android tools

13 Dec 2013 – Marc Blanchou

iSEC is releasing several Cydia Substrate extensions to facilitate the black box testing of Android applications:


This tool hooks various methods in order to disable SSL certificate pinning, by forcing the Android application to accept any SSL certificate. Once installed, it works across all applications on a device. See the project page.


This tool disables signature and permission checks for Android IPCs. This can be useful to test internal or restricted IPCs in specific cases/scenarios. See the project page.


This extension makes all applications running on the device debuggable; once installed, any application will accept a debugger to attach to them. We originally wrote a different version that hooked on the class; however, MWR released a new technique last week involving a faster way to do it, which is what this Cydia Extension now uses. See the project page.

Call us before you need us.

Our experts will help you.

Get in touch
%d bloggers like this: