[sjtgraham]

I don't even attempt to circumvent SSL pinning. IMO it's easier and safer to use Cydia substrate to decorate the networking classes to print args and return values to the console. I've reversed a few APIs in this way, including a bank's.

[jerematasno]

Note that the associated whitepaper discusses using Cydia -- specifically cycript -- to do the same thing.

[dmayer]

Yes, often times that can be sufficient. If you just want to study the protocol or build a custom client. Often times one would like to modify messages of the protocol in order to find flaws in either the server or the client and the ability to man-in-the-middle the protocol makes that easier, in my opinion.

For completeness, the whitepaper is here: http://matasano.com/research/bypassing_openssl_pinning.pdf

[wglb]

Awesome article and white paper.

[jerematasno]

(Modifying the binary is much more fun to blog about, though.)

[alimoeeny]

jerematasno thanks for mentioning cycript. I didn't know about it. Just watched Saurik's intro video. Very fascinating.