Is there no way to bypass certificate pinning without patching apps?
No, there is no way to bypass certificate pinning without application patching or using debugger (tracer). The reason is that, in simple words, certificate pinning is when a CA certificate is hardcoded into application. This application sets the certificate as the only root of trust to establish a network connection. On Android it's carried out via TrustManager
implementation.
You have the following options:
- Reverse engineer, modify and re-pack application.
- Attach Frida to unpin certificate (e.g. there is a code snippet for Android).
- Attach Frida to read traffic right before encryption.
You don't need root (superuser, jailbreak) using a Frida Gadget which should be injected into application before installation. E.g. see how to use Frida without root on Android.
Pay attention, that in some cases applications don't have a real certificate pinning. For instance, there is a known issue that Android applications by default have a trust to ONLY system certificate storage, therefore user's custom MITM certificate just doesn't work there by default.