Open in app

Sign in

Write

Sign in

How to Ignore SSL for React Native (Android/iOS)

Rushit Jivani
2 min readDec 19, 2022

--

Secure data transfer over the Internet is a modern need for mobile data, SSL pinning is a mechanism used to satisfy this requirement: It allows users to locate a server using an SSL certificate, that is integrated into the app. This almost eliminates Man-in-the-Middle attacks and prevents the interception of data communication between a client and a server.

At the same time, this mechanism makes it more difficult to analyze the application when using BlackBox or GreyBox penetration testing because the pentester must recognize this mechanism and put a workaround in place to intercept traffic and study client-server interactions. This article describes one of the ways to overcome SSL pinning for React native apps.

For Android:

Add file IgnoreSSLFactory.java to the same path of MainApplicaiton.java (default under /android/app/src/main/java/com/[yourapp]/

//IgnoreSSLFactory.java
package com.yourapp;  //Change this
import com.facebook.react.modules.network.OkHttpClientFactory;
import com.facebook.react.modules.network.OkHttpClientFactory;
import com.facebook.react.modules.network.OkHttpClientProvider;
import com.facebook.react.modules.network.ReactCookieJarContainer;
import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.List;
import java.util.concurrent.TimeUnit;
import android.util.Log;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import okhttp3.CipherSuite;
import okhttp3.ConnectionSpec;
import okhttp3.OkHttpClient;
import okhttp3.TlsVersion;
import static android.content.ContentValues.TAG;
public class IgnoreSSLFactory implements OkHttpClientFactory {
    private static final String TAG = "IgnoreSSLFactory";
    
    @Override
    public OkHttpClient createNewNetworkModuleClient() {
        try {
            final TrustManager[] trustAllCerts = new TrustManager[]{
                    new X509TrustManager() {
                        @Override
                        public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException {
                        }
@Override
                        public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException {
                        }
@Override
                        public java.security.cert.X509Certificate[] getAcceptedIssuers() {
                            return new java.security.cert.X509Certificate[]{};
                        }
                    }
            };
final SSLContext sslContext = SSLContext.getInstance("SSL");
            sslContext.init(null, trustAllCerts, new java.security.SecureRandom());
final SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
OkHttpClient.Builder builder = new OkHttpClient.Builder()
                    .connectTimeout(0, TimeUnit.MILLISECONDS).readTimeout(0, TimeUnit.MILLISECONDS)
                    .writeTimeout(0, TimeUnit.MILLISECONDS).cookieJar(new ReactCookieJarContainer());
            builder.sslSocketFactory(sslSocketFactory, (X509TrustManager) trustAllCerts[0]);
            builder.hostnameVerifier(new HostnameVerifier() {
                @Override
                public boolean verify(String hostname, SSLSession session) {
                    return true;
                }
            });
OkHttpClient okHttpClient = builder.build();
            return okHttpClient;
        } catch (Exception e) {
            Log.e(TAG, e.getMessage());
            throw new RuntimeException(e);
        }
    }
}

Modify MainApplication.java

  • Add : import com.facebook.react.modules.network.OkHttpClientProvider;
  • Add : OkHttpClientProvider.setOkHttpClientFactory(new IgnoreSSLFactory()); into onCreate() function as below:
@Override  
public void onCreate() {    
    super.onCreate();    
    SoLoader.init(this, /* native exopackage */ false);    
    OkHttpClientProvider.setOkHttpClientFactory(new IgnoreSSLFactory());
    initializeFlipper(this,       
    getReactNativeHost().getReactInstanceManager());  
}

For iOS:

Just create a new file called RCTHTTPRequestHandler+yourPatchName.m somewhere in your project:

//
//  RCTHTTPRequestHandler+yourPatchName
//

#import "React/RCTBridgeModule.h"
#import "React/RCTHTTPRequestHandler.h"

@implementation RCTHTTPRequestHandler(yourPatchName)

- (void)URLSession:(NSURLSession *)session didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential *credential))completionHandler
{
  completionHandler(NSURLSessionAuthChallengeUseCredential, [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]);
}
@end

after adding the file it’ll look like below

Preview after adding “RCTHTTPRequestHandler+yourPatchName.m”

👇Clap if this article is helpful, any feedback is welcome :)

React Native
Ssl Pinning
Security Audit

--

--

Rushit Jivani

Written by Rushit Jivani

176 Followers

Breaking topics into steps, I believe my learnings will help someone. Follow me on LinkedIn → linkedin.com/in/rushitjivani

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams