Method 1: apk-mitm
apk-mitm is a CLI application that prepares Android APK files for HTTPS inspection that automates the entire process. In the How it Works section you will find more details, but as a summary all you have to do is give it an APK file and apk-mitm will:
decode the APK file using Apktool
modify the app's
AndroidManifest.xmlto make itdebuggablemodify the app's Network Security Configuration to allow user-added certificates (see more details)
insert
return-voidopcodes to disable certificate pinning logicencode the patched APK file using Apktool
sign the patched APK file using uber-apk-signer
You can also use apk-mitm to patch apps using Android App Bundle and rooting your phone is not required.
Requirements
Apktool
apk-mitm automates the entire process. All you have to do is give it an APK file and apk-mitm will:
decode the APK file using Apktool
modify the app's
AndroidManifest.xmlto make itdebuggablemodify the app's Network Security Configuration to allow user-added certificates
insert return-void opcodes to disable certificate pinning logic
encode the patched APK file using Apktool
sign the patched APK file using uber-apk-signer
Install Node JS
brew install nodejsInstall/update apk-mitm
npm install -g apk-mitm
Patch APK
apk-mitm example.apk
If the app uses Google Maps and the map is broken after patching, then the app's API key is probably restricted to the developer's certificate. You'll have to create your own API key without restrictions and replace it in the app's AndroidManifest.xml file.
If apk-mitm crashes while decoding or encoding the issue is probably related to Apktool. Check their issues on GitHub to find possible workarounds. If you happen to find an Apktool version that's not affected by the issue, you can instruct apk-mitm to use it by specifying the path of its JAR file through the --apktool option.
You can now install the example-patched.apk file on your Android device and use a proxy like Charles, mitmproxy, Burp Suite, etc, to look at the app's traffic.
Install APK (from adb)
adb <-s DEVICE_ID> install example-patched.apk
How it Works
Decode the APK file
Using Apktool
Modify the app's AndroidManifest.xml
AndroidManifest.xml To make it debuggable
Modify the app's Network Security Configuration
To allow user-added certificates. The Network Security Configuration feature lets apps customize their network security settings in a safe, declarative configuration file without modifying app code. These settings can be configured for specific domains and for a specific app. So you can customize which Certificate Authorities (CA) are trusted for an app's secure connections. For example, trusting particular self-signed certificates or restricting the set of public CAs that the app trusts.
Once your target APK is properly disassembled, look for AndroidManifest.xml at the root folder and add the following attribute to the application element:
<manifest ... >
<application android:networkSecurityConfig="@xml/network_security_config" ... >
...
</application>
</manifest>That attribute points to the file res/xml/network_security_config.xml inside your project. If it doesn't, create it now and change its contents to be like this:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config>
<trust-anchors>
<!-- Trust preinstalled CAs -->
<certificates src="system" />
<!-- Additionally trust user added CAs -->
<certificates src="user" />
</trust-anchors>
</base-config>
</network-security-config>This rule tells the Android system to accept any system or user certificates, overriding default behavior. See this page for other overriding options.
To disable certificate pinning logic
Encode the patched APK file
Using Apktool
Sign the patched APK file
Using uber-apk-signer
Last updated