Skip to content

mitmproxy/android-unpinner

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Android Unpinner

This tool removes certificate pinning from APKs.

  • Does not require root.
  • Uses frida-apk to mark app as debuggable. This is much less invasive than other approaches, only AndroidManifest.xml is touched within the APK.
  • Includes a custom Java Debug Wire Protocol implementation to inject the Frida Gadget via ADB.
  • Uses HTTPToolkit's excellent unpinning script to defeat certificate pinning.
  • Already includes all native dependencies for Windows/Linux/macOS (adb, apksigner, zipalign, aapt2).

The goal was not to build yet another unpinning tool, but to explore some newer avenues for non-rooted devices. Please shamelessly copy whatever idea you like into other tools. :-)

Installation

$ git clone https://github.com/mitmproxy/android-unpinner.git
$ cd android-unpinner
$ pip install -e .

Usage

Connect your device via USB and run the following command.

$ android-unpinner all httptoolkit-pinning-demo.apk

screenshot

See android-unpinner --help for usage details.

You can pull APKs from your device using android-unpinner list-packages and android-unpinner get-apks. Alternatively, you can download APKs from the internet, for example manually from apkpure.com or automatically using apkeep.

Comparison

Compared to using a rooted device, android-unpinner...

🟥 requires APK patching.
🟩 does not need to hide from root detection.

Compared to apk-mitm, android-unpinner...

🟥 requires active instrumentation from a desktop machine when launching the app.
🟩 allows more dynamic patching at runtime (thanks to Frida).
🟩 does less invasive APK patching, e.g. classes.dex stays as-is.

Compared to objection, android-unpinner...

🟥 supports only one feature (disable pinning) and no interactive analysis shell.
🟩 is easier to get started with, does not require additional dependencies.
🟩 does less invasive APK patching, e.g. classes.dex stays as-is.

Compared to frida + LIEF, android-unpinner...

🟥 modifies AndroidManifest.xml
🟩 is easier to get started with, does not require additional dependencies.
🟩 Does not require that the application includes a native library.

Licensing

This tool stands on the shoulders of giants.