SSL Pinning Bypass — iOS Applications. Without Jailbreak !

Mobile applications commonly implement SSL pinning to prevent interception of HTTPS traffic through man-in-the-middle (MITM) proxies such as Burp Suite or Charles Proxy. While this is an important security mechanism, security testers and application developers often need to inspect encrypted traffic during authorized penetration testing or debugging activities.

Traditionally, bypassing SSL pinning on iOS required a jailbroken device and runtime instrumentation tools such as Frida or Objection. However, with newer iOS networking behaviors and tools like Potatso, it is possible to intercept traffic on certain applications without jailbreak on devices running iOS 17 and above.

This article demonstrates how security researchers can configure Potatso to inspect application traffic in a non-jailbroken environment for legitimate testing purposes.

Disclaimer.

This article is intended strictly for authorized security testing, research, and debugging purposes. Only perform these actions on applications and systems for which you have explicit permission.

What is SSL Pinning?

SSL pinning is a security mechanism where a mobile application validates a specific server certificate or public key instead of relying solely on the operating system trust store.

Normally:

The application trusts certificates signed by trusted Certificate Authorities (CAs)
A proxy certificate installed on the device can intercept traffic

With SSL pinning:

The application compares the server certificate against a hardcoded certificate or public key
If the certificate does not match, the connection fails

This prevents traffic interception even when a custom CA certificate is installed.

Why Traditional Methods Require Jailbreak

Historically, bypassing SSL pinning on iOS involved:

Jailbreaking the device
Installing Frida server
Injecting hooks into networking libraries
Dynamically patching certificate validation routines

While effective, jailbreaking introduces several challenges:

Device instability
Detection by modern applications
Increased operational complexity
Security risks
Compatibility limitations on newer iOS versions

This created a demand for alternative non-jailbreak approaches.

Introducing Potatso

Potatso is an iOS proxy utility that allows advanced traffic routing and interception capabilities on non-jailbroken devices.

Potatso works by creating a local VPN configuration and routing device traffic through a configurable proxy setup.

On iOS 17 and above, this behavior enables interception of traffic from many applications that previously resisted standard proxy configurations.

Requirements

Before starting, ensure the following prerequisites are met:

iPhone running iOS 17.0 or above
Burp Suite installed on your system
Potatso installed on the iPhone
Device and Burp Suite system on the same network
Burp CA certificate installed and trusted on the iPhone

Step 1 — Configure Burp Suite

Open Burp Suite and configure the proxy listener:

Open Proxy Settings → Proxy Listeners → Edit
Ensure the listener is running:
Identify your system IP address

Example:

192.168.1.10:8080

192.168.1.10:8080

Set this IP as the interface to listen on.
Go to Request handling, enable Support invisible proxying.

Step 2 — Install Burp Certificate on iPhone

On the iPhone:

Open Safari
Visit:

http://burp

http://burp

Download the CA certificate
Install the profile
Navigate to:

Settings → General → About → Certificate Trust Settings

Settings → General → About → Certificate Trust Settings

Enable full trust for the Burp certificate

This allows the iPhone to trust Burp Suite as a proxy CA.

Step 3 — Configure Potatso

Install from Appstore and Open Potatso and create a new proxy profile.

Proxy configuration example: Type: HTTP Server: Your Burp IP Port: 8080

Once connected, all device traffic will route through Burp Suite.

Step 4 — Start Intercepting Traffic

Launch the target application and observe Burp Suite!

TRAFFIC INTERCEPTED.

Contents