This Frida script disables SSL pinning and verification on any target macOS Catalina process.

disable-ssl-pin.js

var SecTrustEvaluate_handle =
    Module.findExportByName('Security', 'SecTrustEvaluate');
var SecTrustEvaluateWithError_handle =
    Module.findExportByName('Security', 'SecTrustEvaluateWithError');
var SSL_CTX_set_custom_verify_handle =
    Module.findExportByName('libboringssl.dylib', 'SSL_CTX_set_custom_verify');
var SSL_get_psk_identity_handle =
    Module.findExportByName('libboringssl.dylib', 'SSL_get_psk_identity');
var boringssl_context_set_verify_mode_handle = Module.findExportByName(
    'libboringssl.dylib', 'boringssl_context_set_verify_mode');

if (SecTrustEvaluateWithError_handle) {
  var SecTrustEvaluateWithError = new NativeFunction(
      SecTrustEvaluateWithError_handle, 'int', ['pointer', 'pointer']);

  Interceptor.replace(
      SecTrustEvaluateWithError_handle,
      new NativeCallback(function(trust, error) {
        console.log('[*] Called SecTrustEvaluateWithError()');
        SecTrustEvaluateWithError(trust, NULL);
        Memory.writeU8(error, 0);
        return 1;
      }, 'int', ['pointer', 'pointer']));
  console.log('[+] SecTrustEvaluateWithError() hook installed.');
}

if (SecTrustEvaluate_handle) {
  var SecTrustEvaluate = new NativeFunction(
      SecTrustEvaluate_handle, 'int', ['pointer', 'pointer']);

  Interceptor.replace(
      SecTrustEvaluate_handle, new NativeCallback(function(trust, result) {
        console.log('[*] Called SecTrustEvaluate()');
        SecTrustEvaluate(trust, result);
        Memory.writeU8(result, 1);
        return 0;
      }, 'int', ['pointer', 'pointer']));
  console.log('[+] SecTrustEvaluate() hook installed.');
}

if (SSL_CTX_set_custom_verify_handle) {
  var SSL_CTX_set_custom_verify = new NativeFunction(
      SSL_CTX_set_custom_verify_handle, 'void', ['pointer', 'int', 'pointer']);

  var replaced_callback = new NativeCallback(function(ssl, out) {
    console.log('[*] Called custom SSL verifier')
    return 0;
  }, 'int', ['pointer', 'pointer']);

  Interceptor.replace(
      SSL_CTX_set_custom_verify_handle,
      new NativeCallback(function(ctx, mode, callback) {
        console.log('[*] Called SSL_CTX_set_custom_verify()');
        SSL_CTX_set_custom_verify(ctx, 0, replaced_callback);
      }, 'int', ['pointer', 'int', 'pointer']));
  console.log('[+] SSL_CTX_set_custom_verify() hook installed.')
}

if (SSL_get_psk_identity_handle) {
  Interceptor.replace(
      SSL_get_psk_identity_handle, new NativeCallback(function(ssl) {
        console.log('[*] Called SSL_get_psk_identity_handle()');
        return 'notarealPSKidentity';
      }, 'pointer', ['pointer']));
  console.log('[+] SSL_get_psk_identity() hook installed.')
}

if (boringssl_context_set_verify_mode_handle) {
  var boringssl_context_set_verify_mode = new NativeFunction(
      boringssl_context_set_verify_mode_handle, 'int', ['pointer', 'pointer']);

  Interceptor.replace(
      boringssl_context_set_verify_mode_handle,
      new NativeCallback(function(a, b) {
        console.log('[*] Called boringssl_context_set_verify_mode()');
        return 0;
      }, 'int', ['pointer', 'pointer']));
  console.log('[+] boringssl_context_set_verify_mode() hook installed.')
}

Words cannot describe how thankful I am for this script. Bravo!

Worked like a charm! This is genius! Thank you 🙇‍♂️

How to use it?

How to use it?

Use Frida, example Python script usage here: https://github.com/kendfinger/AppleCache/tree/master/tools

I am doing in below way and it is not doing anything

sappi@Ranjeets-MacBook-Pro platform-tools 2 % frida -U -l /Users/sappi/Downloads/platform-tools\ 2/ssl-bypass.js --no-paus -f com.twitter.android
     ____
    / _  |   Frida 14.2.18 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
Spawned `com.twitter.android`. Resuming main thread!                
[Google Pixel XL::com.example.imagebackup]->

I am doing in below way and it is not doing anything

sappi@Ranjeets-MacBook-Pro platform-tools 2 % frida -U -l /Users/sappi/Downloads/platform-tools\ 2/ssl-bypass.js --no-paus -f com.twitter.android
     ____
    / _  |   Frida 14.2.18 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
Spawned `com.twitter.android`. Resuming main thread!                
[Google Pixel XL::com.example.imagebackup]->

@sappi13
This Frida script is for disabling ssl pinning in programs on macOS Catalina.

For Android, try using https://github.com/sensepost/objection

will it work on mojave?

I'm looking for a way to bypass certificate-pinning for Mac AppStore on 10.14. Is it possible?

good job.in my test,apple silicon 13.5 has a bug?
[] Called SSL_CTX_set_custom_verify()
Error: expected an integer
[] Called boringssl_context_set_verify_mode()
....

[] Called SecTrustEvaluateWithError()
[] Called SecTrustEvaluate()
Error: access violation accessing 0x0

As of Frida 17, they have changed the module api. https://frida.re/news/2025/05/17/frida-17-0-0-released/
Instead of Module.findExportByName('Security', 'SecTrustEvaluate'); it is now Process.getModuleByName('Security').getExportByName('SecTrustEvaluate')

So the first lines in the code should be

var SecurityModule = Process.getModuleByName('Security');
var libboringsslModule = Process.getModuleByName('libboringssl.dylib');

var SecTrustEvaluate_handle =
    SecurityModule.getExportByName('SecTrustEvaluate');
var SecTrustEvaluateWithError_handle =
    SecurityModule.getExportByName('SecTrustEvaluateWithError');
var SSL_CTX_set_custom_verify_handle =
    libboringsslModule.getExportByName('SSL_CTX_set_custom_verify');
var SSL_get_psk_identity_handle =
    libboringsslModule.getExportByName('SSL_get_psk_identity');
var boringssl_context_set_verify_mode_handle = 
    libboringsslModule.getExportByName('boringssl_context_set_verify_mode');

Thank you @azenla for amazing code.
And thank you @Philip2809 for the fix.
Both of you saved my life.

Thank you @azenla and @Philip2809 - this combo was the only thing that worked for some system processes that I've been trying to hook to for the past hour.