Set up a proxy (e.g., Burp Suite or mitmproxy) with a custom CA and install the proxy CA certificate on the test device or emulator
Route the device's traffic through the proxy and launch the target app; observe whether HTTPS connections to the app's backend succeed or fail with a certificate error
If connections succeed through the proxy CA, pinning is absent or bypassed — document as a MASVS-NETWORK-2 finding per MASTG-TEST-0022 (Android) or MASTG-TEST-0068 (iOS)
For apps with pinning, attempt dynamic bypass using a Frida script targeting the platform's certificate validation APIs (SSLContext on Android, SecTrust on iOS) to confirm whether runtime bypass is feasible
Inspect the app binary statically for pinned hash values embedded as string literals or byte arrays; verify these match the production server's current SPKI hashes
Document findings with evidence of whether pinning is implemented at the application layer, network security config layer, or via a third-party library, as remediation steps differ for each
Known gotchas
Android 7.0 and later ignores user-installed CA certificates for app traffic by default unless the app's network-security-config explicitly trusts user CAs; proxy interception on modern Android may require device root or a debug build
Dynamic pinning bypass with Frida requires the device to be rooted (Android) or jailbroken (iOS); testing on a non-rooted production device cannot confirm dynamic bypassability — use a test device specifically provisioned for security testing
Some apps implement RASP checks that detect debugger or instrumentation tool presence and modify behavior; the app may appear to enforce pinning under test conditions but disable it in production or vice versa
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp