Pentest & Bug Bounty Resources and Techniques
  • Pentest & Bug Bounty Resources and Techniques
    • Introduction
    • Tests Checklist
    • OSINT
    • Communications Security
      • SSL/TLS
    • Networking
      • Subdomains Discovery
        • DNS & OSINT
        • DNS Brute force
          • Second DNS Brute-Force Round
      • Subdomain Takeover
      • Network Host Scan/Discovery
        • External/Internal
        • Internal only
      • Network Vulnerability Scanning
      • Network Hacking
      • Parsing
      • Reporting
    • Brute Force
      • Wordlists
      • Databases
      • SSH
    • Web
      • Endpoint Discovery
      • Infrastructure & Configuration
        • Headers
        • WAF Detection/ Evasion
      • Injection
        • GraphQL
        • Cross-Site Scripting (XSS)
        • SQL Injection
        • Payloads
      • SSRF & XXE
        • Labs & Resources
        • Tools
        • SVG SSRF Cheatsheet
        • XXE - XEE - XML External Entity
      • JWT Vulnerabilities (Json Web Tokens)
      • HTTP/S DoS
    • Mobile
      • Both
        • SAST
          • MobSF
        • DAST
          • Installing Frida and Objection
      • Android
        • Create a Lab
          • Rooting Android Emulator
          • Rooting Android Emulator Cheat Sheet
        • APK Certificates
        • SAST
          • APKs
            • Get Information from APK
            • GDA (GJoy Dex Analysizer)
            • Scanning APK for URIs, endpoints & secrets
            • Google Maps API Scanner
        • DAST
          • Rooting the Android Studio AVDs
          • non-Rooted devices
            • Bypass SSL Pinning - non-rooted devices
              • Method 1: apk-mitm
              • Instrumentation with Frida and Objection
                • Bypass SSL Pinning - Method 2: With Objection Explore
                • Bypass SSL Pinning - Method 3: With root_bypass.js
          • Rooted Devices
            • Run frida-server in the emulator or device
            • Inject Frida
            • Bypass SSL Pinning - rooted devices
              • Install Burp CA as a system-level CA on the device
      • iOS
        • SAST
          • Building a reverse iOS engineering environment for free
          • Test Vulnerabilities
  • Lets Practice
    • Virtual Machines
    • Vulnerable App
    • Guided Labs
    • CTFs
  • Group 1
    • AI
Powered by GitBook
On this page
  • Requirements
  • Install Node JS
  • Install/update apk-mitm
  • Patch APK
  • Install APK (from adb)
  • How it Works
  • Decode the APK file
  • Modify the app's AndroidManifest.xml
  • Modify the app's Network Security Configuration
  • insert return-void opcodes
  • Encode the patched APK file
  • Sign the patched APK file
  1. Pentest & Bug Bounty Resources and Techniques
  2. Mobile
  3. Android
  4. DAST
  5. non-Rooted devices
  6. Bypass SSL Pinning - non-rooted devices

Method 1: apk-mitm

PreviousBypass SSL Pinning - non-rooted devicesNextInstrumentation with Frida and Objection

Last updated 3 years ago

is a CLI application that prepares Android APK files for HTTPS inspection that automates the entire process. In the section you will find more details, but as a summary all you have to do is give it an APK file and apk-mitm will:

  • decode the APK file using

  • modify the app's AndroidManifest.xml to make it

  • modify the app's to allow user-added certificates ()

  • to disable logic

  • encode the patched APK file using

  • sign the patched APK file using

You can also use apk-mitm to and rooting your phone is not required.

Requirements

  3. Apktool

apk-mitm automates the entire process. All you have to do is give it an APK file and apk-mitm will:

  • decode the APK file using

  • modify the app's AndroidManifest.xml to make it

  • modify the app's to allow user-added certificates

  • to disable logic

  • encode the patched APK file using

  • sign the patched APK file using

Install Node JS

brew install nodejs
sudo apt install nodejs

Install/update apk-mitm

npm install -g apk-mitm
npm update -g apk-mitm

Patch APK

apk-mitm example.apk

Install APK (from adb)

adb <-s DEVICE_ID> install example-patched.apk

How it Works

Decode the APK file

Modify the app's AndroidManifest.xml

To allow user-added certificates. The Network Security Configuration feature lets apps customize their network security settings in a safe, declarative configuration file without modifying app code. These settings can be configured for specific domains and for a specific app. So you can customize which Certificate Authorities (CA) are trusted for an app's secure connections. For example, trusting particular self-signed certificates or restricting the set of public CAs that the app trusts.

Once your target APK is properly disassembled, look for AndroidManifest.xml at the root folder and add the following attribute to the application element:

<manifest ... >
    <application android:networkSecurityConfig="@xml/network_security_config" ... >
        ...
    </application>
</manifest>

That attribute points to the file res/xml/network_security_config.xml inside your project. If it doesn't, create it now and change its contents to be like this:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>  
      <base-config>  
            <trust-anchors>  
                <!-- Trust preinstalled CAs -->  
                <certificates src="system" />  
                <!-- Additionally trust user added CAs -->  
                <certificates src="user" />  
           </trust-anchors>  
      </base-config>  
 </network-security-config>

Encode the patched APK file

Sign the patched APK file

If the app uses Google Maps and the map is broken after patching, then the app's API key is probably . You'll have to without restrictions and replace it in the app's AndroidManifest.xml file.

If apk-mitm crashes while decoding or encoding the issue is probably related to . Check to find possible workarounds. If you happen to find an Apktool version that's not affected by the issue, you can instruct apk-mitm to use it by specifying the path of its JAR file through the --apktool option.

You can now install the example-patched.apk file on your Android device and use a proxy like , , , etc, to look at the app's traffic.

Using

To make it

Modify the app's

This rule tells the Android system to accept any system or user certificates, overriding default behavior. See for other overriding options.

To disable logic

Using

Using

apk-mitm
How it Works
Apktool
debuggable
Network Security Configuration
see more details
insert return-void opcodes
certificate pinning
Apktool
uber-apk-signer
patch apps using Android App Bundle
Node JS
apk-mitm
Apktool
debuggable
Network Security Configuration
insert return-void opcodes
certificate pinning
Apktool
uber-apk-signer
restricted to the developer's certificate
create your own API key
Apktool
their issues on GitHub
Charles
mitmproxy
Burp Suite
Apktool
debuggable
Network Security Configuration
this page
insert return-void opcodes
certificate pinning
Apktool
uber-apk-signer