Home > iOS Pentesting

Installing SSL Kill Switch / TrustKit Bypass

Installing SSL Kill Switch / TrustKit Bypass

Bypassing SSL pinning is mandatory for intercepting encrypted API traffic in iOS pentesting. This chapter provides a full, practical, hands-on workflow for installing SSL Kill Switch, bypassing TrustKit-based SSL pinning and validating that interception works. Everything here assumes you already have a jailbroken device.

Requirements

  • Jailbroken iPhone (A7–A11 using checkra1n or palera1n)

  • SSH access to the device

  • Burp Suite installed and proxy configured

  • Frida installed on your computer

  • Frida Server running on the device

Step 1: Prepare the Jailbroken Device

Make sure basic tools are installed.

Update package sources:

apt update
apt upgrade

Install essential utilities:

apt install wget curl unzip

Step 2: Install SSL Kill Switch 2

SSL Kill Switch disables most SSL pinning implementations in iOS apps, including common frameworks like Alamofire, AFNetworking and NSURLSession.

Step 1: Add the Repo

In Sileo / Zebra repo list add:

https://cydia.ichitaso.com

Or alternatively:

https://nabla-c0d3.github.io/

Step 2: Install via Terminal

SSH into device:

iproxy 2222 22
ssh root@localhost -p 2222

Install:

apt install com.nablac0d3.sslkillswitch2

Step 3: Reboot the Device

reboot

After reboot, SSL Kill Switch is active system-wide.

Step 3: Validate SSL Kill Switch

Launch an app that previously blocked Burp Suite.

Open Burp → Proxy → HTTP History
If SSL Kill Switch is working, HTTPS traffic should now appear without certificate errors.

Troubleshooting if nothing appears:

  • App uses TrustKit

  • App uses custom certificate validation

  • App uses pinned public keys

  • App uses ATS non-standard overrides

  • App manually validates certificates in Swift code

If the app uses TrustKit or CertPinning frameworks, continue with TrustKit bypass methods below.

Step 4: TrustKit and Advanced Pinning Bypass

TrustKit is a common SSL pinning library that detects system hooks and blocks weak bypasses. SSL Kill Switch alone is not always enough.

Option 1: Frida Script (Recommended)

Create a file named trustkit-bypass.js:

if (ObjC.classes.TSKPinningValidator) {
    Interceptor.attach(ObjC.classes.TSKPinningValidator['- evaluateTrust:forHostname:'].implementation, {
        onEnter: function(args) {
            console.log("TrustKit bypass hit");
        },
        onLeave: function(retval) {
            retval.replace(1);
        }
    });
}

Run:

frida -U -f com.example.app -l trustkit-bypass.js --no-pause

This forces TrustKit to return “valid” for all certificates.

Option 2: Objection Built-In Bypass

Start the app with Objection:

objection -g com.example.app explore

Then:

ios sslpinning disable

This bypasses most TrustKit + custom pinning implementations.

Option 3: Universal SSL Bypass Script (Frida)

A stronger script:

frida -U -f com.example.app --no-pause -l https://raw.githubusercontent.com/httptoolkit/frida-ios-ssl-pinning-bypass/main/ios_ssl_pinning_bypass2.js

This disables:

  • TrustKit

  • NSURLSession pinning

  • SecTrustEvaluate

  • AFNetworking

  • Alamofire

  • Custom certificate validation

  • Low-level Sec APIs

This is currently the most reliable TrustKit bypass method.

Step 5: Testing the Bypass

Once the bypass is enabled:

  1. Open the target app

  2. Trigger an HTTPS request (login, fetch data, etc.)

  3. Observe Burp history

  4. Check if decrypted traffic appears

Expected behavior:

  • No certificate warnings in the app

  • No SSL errors

  • Requests appear normally in Burp

  • HTTPS content is readable and modifiable

If traffic does not appear:

  • App might use certificate pinning in native code

  • App might use encrypted local DNS

  • App might use ATS strict domain profiles

  • Proxy settings may be incorrect

Step 6: Handling Apps That Use Low-Level Security APIs

Some apps use low-level APIs like SecKeyCopyPublicKey, SecTrustEvaluateWithError or manually compare public key hashes.

Use this Frida script:

frida -U -f com.example.app -l ssl.js --no-pause

Where ssl.js contains hooks for:

  • SecTrustEvaluate

  • SecTrustEvaluateWithError

  • SecKeyCopyPublicKey

  • SSLSetSessionOption

This neutralizes complex pinning routines.

Step 7: Handling Certificate Transparency (CT)

Some applications enforce Certificate Transparency.

Bypassing CT:

frida -U -f com.example.app -l ct_bypass.js --no-pause

The script patches:

  • kSecPolicyAppleSSL

  • kSecPolicyAppleCT

  • Trust evaluation options

Step 8: Confirm Everything Works

Test by performing:

curl -k -v https://example.com --proxy http://YOUR_IP:8080

If Burp captures it:

  • Proxy works

  • SSL certificate trusted

  • Pinning bypass succeeded

Now repeat inside the target app.

Intel Dump

  • SSL Kill Switch disables most system-level SSL pinning

  • TrustKit requires advanced hooking (Frida/Objection)

  • Universal Frida scripts bypass multiple frameworks

  • Testing involves inspecting Burp HTTP history

  • Apps using low-level Sec APIs require deeper hooks

  • Certificate Transparency can also block interception

  • Full MITM requires proxy setup + cert trust + pinning bypass

  • Jailbroken devices provide easiest and most reliable SSL bypass workflows

HOME LEARN COMMUNITY DASHBOARD