Skip to content

Instantly share code, notes, and snippets.

@derhuerst

derhuerst/android-mitm-cert-pinning.md

Last active March 7, 2023 13:00
Show Gist options
  • Save derhuerst/01bff7cd74a94d666469ddb4a672f344 to your computer and use it in GitHub Desktop.
Save derhuerst/01bff7cd74a94d666469ddb4a672f344 to your computer and use it in GitHub Desktop.
Download ZIP
How to MITM Android apps using certificate pinning
Raw
android-mitm-cert-pinning.md

How to intercept network traffic of Android apps

When you want to poke into the communication of an app.

This guide assumes you're using a UNIX-like operating system. Much of this is documented more in-depth in the objection wiki.

  1. Install Java8: brew cask install homebrew/cask-versions/java8
  2. Install apktoolbrew install apktool
  3. Install the Android SDK manager
    1. brew cask install android-sdk
    2. Change your $PATH to include the Android SDK dir:
      • with bash, put export ANDROID_SDK_ROOT='/usr/local/share/android-sdk' into your .bashrc
      • with fish, put set -gx ANDROID_SDK_ROOT '/usr/local/share/android-sdk' into your ~/.config/fish/config.fish
  4. Install the Android SDK build tools
    1. sdkmanager --update
    2. sdkmanager build-tools;28.0.0-rc2
    3. sdkmanager platform-tools
    4. Change your $PATH to include the newly downloaded tools:
      • with bash, put export PATH=$PATH:"$ANDROID_SDK_ROOT/tools":"$ANDROID_SDK_ROOT/build-tools/28.0.0-rc2":"$ANDROID_SDK_ROOT/platform-tools" into your .bashrc
      • with fish, put set -gx PATH $PATH $ANDROID_SDK_ROOT'/tools' $ANDROID_SDK_ROOT'/build-tools/28.0.0-rc2' $ANDROID_SDK_ROOT'/platform-tools' into your ~/.config/fish/config.fish
  5. Get an Android phone, connect it to your computer, allow USB debugging on the device.
  6. Download the app .apk archive (you may instead want to pull it from your phone).
    1. Find the ID of the app you want to analyse from the Play Store URL, e.g. de.hafas.android.db from https://play.google.com/store/apps/details?id=de.hafas.android.db.
    2. Navigate to apk-dl.com and download the app as an .apk archive.
  7. Find the architecture of your device: adb shell getprop ro.product.cpu.abi (i got arm64-v8a).
  8. Patch the .apk using objection
    1. Set up objection as described in its wiki. Use the virtualenv method to get a clean install without messing up your system.
    2. Patch the .apk by running objection patchapk -a <your-architecture> -s <path-to-apk-file>
  9. Load the app onto the device: adb uninstall <your-app-id> && adb install <path-to-patched-apk-file>
  10. Set up the HTTP proxy
    1. Get mitmproxybrew install mitmproxy.
    2. Run the proxy with mitmproxy -p 8080.
    3. Get the local IP address of the computer where the proxy is running: ifconfig en0 | grep inet.
    4. Configure the Android device to use your proxy: adb shell settings put global http_proxy <proxy-ip-address>:8080.
  11. Run the app
    1. Open the app. It will be in a so-called "paused state" (it won't open).
    2. Connect to the device using objection explore. Once this succeeds, you will get a shell and the app will open.
    3. In the objection shell, run android sslpinning disable to disable cert-pinning.
  12. Done! mitmproxy should now show you network requests being done by the app.
  13. To remove the global proxy on the device run:
    1. adb shell settings delete global http_proxy
    2. adb shell settings delete global global_http_proxy_host
    3. adb shell settings delete global global_http_proxy_port
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment