Merge pull request #1375 from HackTricks-wiki/update_SSLPinDetect__Advanced_SSL_Pinning_Detection_for_A_20250901_123952

SSLPinDetect Advanced SSL Pinning Detection for Android Secu...

src/mobile-pentesting/android-app-pentesting/README.md

@@ -444,6 +444,62 @@ Applications targeting **API Level 24 and above** require modifications to the N
 
 If **Flutter** is being used you need to to follow the instructions in [**this page**](flutter.md). This is becasue, just adding the certificate into the store won't work as Flutter has its own list of valid CAs.
 
+#### Static detection of SSL/TLS pinning
+
+Before attempting runtime bypasses, quickly map where pinning is enforced in the APK. Static discovery helps you plan hooks/patches and focus on the right code paths.
+
+Tool: SSLPinDetect
+- Open-source static-analysis utility that decompiles the APK to Smali (via apktool) and scans for curated regex patterns of SSL/TLS pinning implementations.
+- Reports exact file path, line number, and a code snippet for each match.
+- Covers common frameworks and custom code paths: OkHttp CertificatePinner, custom javax.net.ssl.X509TrustManager.checkServerTrusted, SSLContext.init with custom TrustManagers/KeyManagers, and Network Security Config XML pins.
+
+Install
+- Prereqs: Python >= 3.8, Java on PATH, apktool
+
+```bash
+git clone https://github.com/aancw/SSLPinDetect
+cd SSLPinDetect
+pip install -r requirements.txt
+```
+
+Usage
+```bash
+# Basic
+python sslpindetect.py -f app.apk -a apktool.jar
+
+# Verbose (timings + per-match path:line + snippet)
+python sslpindetect.py -a apktool_2.11.0.jar -f sample/app-release.apk -v
+```
+
+Example pattern rules (JSON)
+Use or extend signatures to detect proprietary/custom pinning styles. You can load your own JSON and scan at scale.
+
+```json
+{
+  "OkHttp Certificate Pinning": [
+    "Lcom/squareup/okhttp/CertificatePinner;",
+    "Lokhttp3/CertificatePinner;",
+    "setCertificatePinner"
+  ],
+  "TrustManager Override": [
+    "Ljavax/net/ssl/X509TrustManager;",
+    "checkServerTrusted"
+  ]
+}
+```
+
+Notes and tips
+- Fast scanning on large apps via multi-threading and memory-mapped I/O; pre-compiled regex reduces overhead/false positives.
+- Pattern collection: https://github.com/aancw/smali-sslpin-patterns
+- Typical detection targets to triage next:
+  - OkHttp: CertificatePinner usage, setCertificatePinner, okhttp3/okhttp package references
+  - Custom TrustManagers: javax.net.ssl.X509TrustManager, checkServerTrusted overrides
+  - Custom SSL contexts: SSLContext.getInstance + SSLContext.init with custom managers
+  - Declarative pins in res/xml network security config and manifest references
+- Use the matched locations to plan Frida hooks, static patches, or config reviews before dynamic testing.
+
+
+
 #### Bypassing SSL Pinning
 
 When SSL Pinning is implemented, bypassing it becomes necessary to inspect HTTPS traffic. Various methods are available for this purpose:
@@ -799,6 +855,9 @@ AndroL4b is an Android security virtual machine based on ubuntu-mate includes th
 - [https://manifestsecurity.com/android-application-security/](https://manifestsecurity.com/android-application-security/)
 - [https://github.com/Ralireza/Android-Security-Teryaagh](https://github.com/Ralireza/Android-Security-Teryaagh)
 - [https://www.youtube.com/watch?v=PMKnPaGWxtg\&feature=youtu.be\&ab_channel=B3nacSec](https://www.youtube.com/watch?v=PMKnPaGWxtg&feature=youtu.be&ab_channel=B3nacSec)
+- [SSLPinDetect: Advanced SSL Pinning Detection for Android Security Analysis](https://petruknisme.medium.com/sslpindetect-advanced-ssl-pinning-detection-for-android-security-analysis-1390e9eca097)
+- [SSLPinDetect GitHub](https://github.com/aancw/SSLPinDetect)
+- [smali-sslpin-patterns](https://github.com/aancw/smali-sslpin-patterns)
 
 ## Yet to try