PatchStore
AppsGuides
February 24, 2026·8 min read

SSL Pinning in Uber, Amazon & E-Commerce Apps

Behavioral anomaly detection in Uber, AWS-LC native pinning in Amazon, and why e-commerce apps combine certificate validation with anti-scraping defenses.

E-commerce and ride-sharing apps face a unique challenge: they need to protect their APIs not just from security researchers, but from commercial scraping operations and competitive intelligence. Uber, Amazon, and similar apps combine SSL pinning with behavioral detection, device binding, and aggressive token rotation.

Uber: Behavioral Anomaly Detection

Uber's network security goes beyond standard certificate pinning. The app implements multi-tiered defenses designed to detect not just modified certificates, but modified environments and abnormal behavior patterns:

  • OkHttp CertificatePinner for standard HTTPS validation
  • Runtime checks for debuggers (isDebuggerConnected()), rooted states, and Xposed framework
  • Behavioral detection that monitors request patterns, timing, and device fingerprints
  • Aggressive token rotation — sessions are short-lived and device-bound
  • App signing verification that detects repackaged APKs

When Uber detects an intercepting proxy, it doesn't just refuse connections — it may return CONNECTIVITY_ISSUE errors or silently shut down the app. Commercial scraping firms report that behavioral detection presents a "high residual risk" even after pinning is bypassed.

// Uber's layered security checks
// Even with pinning bypassed, these can block analysis:
public void initSecurity() {
  // Check for rooted device
  if (RootDetector.isRooted()) {
    reportToBackend("root_detected");
    terminateApp();
  }
  // Check for debugging
  if (Debug.isDebuggerConnected()) {
    terminateApp();
  }
  // Initialize pinned HTTP client
  OkHttpClient client = new OkHttpClient.Builder()
    .certificatePinner(getUberPinner())
    .addInterceptor(new DeviceFingerprintInterceptor())
    .build();
}

The security research community uses uber-apk-signer for resigning decompiled APKs, along with Frida and Objection to strip FLAG_SECURE screen protections, bypass the CertificatePinner, and suppress root detection telemetry.

Amazon: AWS-LC Native Pinning

Amazon Shopping relies on AWS-LC, Amazon's own maintained fork of BoringSSL designed for maximum performance and compatibility with AWS infrastructure. This means the pinning operates at the same native level as Meta's apps:

  • Certificate validation is performed natively via AWS-LC, not through Java's TrustManager
  • The app uses a highly specific and unique TLS cipher suite list for first-party domains
  • Pinning keys are tied to specific Amazon root CAs (historically Symantec Class 3 Secure Server CA)
  • Updates to the cryptographic layer mirror the AWS-LC upstream release cycle

Because standard Java hooks fail against AWS-LC (just as they fail against BoringSSL in Meta apps), researchers must use network-level routing modifications or custom Frida scripts targeting native BoringSSL verification functions.

# Force Amazon traffic through proxy on rooted device
# Using iptables to redirect native HTTPS traffic
iptables -t nat -A OUTPUT -p tcp --dport 443 \
  -j REDIRECT --to-port 8080


# Then run mitmproxy on port 8080
mitmproxy --mode transparent --listen-port 8080

The Anti-Scraping Dimension

Unlike social media apps where the primary concern is user privacy, e-commerce apps protect their APIs primarily against competitive intelligence and price scraping. This adds additional layers:

  • Rate limiting — APIs throttle requests based on device fingerprint, not just IP
  • Request signing — API calls include HMAC signatures computed from device-specific keys
  • Behavioral analysis — backend ML models flag abnormal browsing patterns
  • CAPTCHAs — triggered when automated behavior is suspected

Even with a pre-patched APK that disables pinning, you may need to use the app naturally (real touch events, realistic timing) to avoid triggering behavioral blocks. For Uber specifically, this makes automated traffic analysis significantly more challenging than one-time manual inspection.

Difficulty Assessment

  • Uber (Difficulty: 7/10) — OkHttp-based pinning is bypassable with universal Frida scripts, but behavioral detection and root checks add complexity. uber-apk-signer helps with APK repackaging.
  • Amazon (Difficulty: 6/10) — AWS-LC native pinning requires the same techniques as Meta apps. Less aggressive anti-tampering than Uber, but the native layer prevents Java-only approaches.

Skip the Complexity

Browse ready-to-use SSL unpinned APKs — install, proxy, inspect. No root, no Frida, no setup.

Browse SSL Unpinned APKs