This tool removes certificate pinning from APKs.
- Does not require root.
- Uses
frida-apk
to mark app as debuggable. This is much less invasive than other approaches, onlyAndroidManifest.xml
is touched within the APK. - Includes a custom Java Debug Wire Protocol implementation to inject the Frida Gadget via ADB.
- Uses HTTPToolkit's excellent unpinning script to defeat certificate pinning.
- Already includes all native dependencies for Windows/Linux/macOS (
adb
,apksigner
,zipalign
,aapt2
).
The goal was not to build yet another unpinning tool, but to explore some newer avenues for non-rooted devices. Please shamelessly copy whatever idea you like into other tools. :-)
$ git clone https://github.com/mitmproxy/android-unpinner.git
$ cd android-unpinner
$ pip install -e .
Connect your device via USB and run the following command.
$ android-unpinner all httptoolkit-pinning-demo.apk
See android-unpinner --help
for usage details.
You can pull APKs from your device using android-unpinner list-packages
and android-unpinner get-apks
.
Alternatively, you can download APKs from the internet, for example manually from apkpure.com or automatically
using apkeep.
Compared to using a rooted device, android-unpinner...
๐ฅ requires APK patching.
๐ฉ does not need to hide from root detection.
Compared to apk-mitm
, android-unpinner...
๐ฅ requires active instrumentation from a desktop machine when launching the app.
๐ฉ allows more dynamic patching at runtime (thanks to Frida).
๐ฉ does less invasive APK patching, e.g. classes.dex
stays as-is.
Compared to objection
, android-unpinner...
๐ฅ supports only one feature (disable pinning) and no interactive analysis shell.
๐ฉ is easier to get started with, does not require additional dependencies.
๐ฉ does less invasive APK patching, e.g. classes.dex
stays as-is.
Compared to frida
+ LIEF
,
android-unpinner...
๐ฅ modifies AndroidManifest.xml
๐ฉ is easier to get started with, does not require additional dependencies.
๐ฉ Does not require that the application includes a native library.
This tool stands on the shoulders of giants.
httptoolkit-pinning-demo.apk
is a copy of HTTP Toolkit's neat demo app available at https://github.com/httptoolkit/android-ssl-pinning-demo (Apache-2.0 License).scripts/httptoolkit-unpinner.js
is a copy of HTTP Toolkit's excellent unpinning script available at https://github.com/httptoolkit/frida-android-unpinning/ (Apache-2.0 License).android_unpinner/vendor/frida/
contains the fantastic Frida gadgets available at https://frida.re/ (wxWindows Library Licence, Version 3.1).android_unpinner/vendor/frida-tools/
is adapted from https://github.com/frida/frida-tools (wxWindows Library Licence, Version 3.1).android_unpinner/vendor/build_tools/
is a copy of some of Android's build tools (seeNOTICE.txt
therein for license).android_unpinner/vendor/platform_tools/
is a copy of some of Android's platform tools (seeNOTICE.txt
therein for license).- Code written here is licensed under the MIT license (https://github.com/mitmproxy/mitmproxy/blob/main/LICENSE).