search

Method 1: apk-mitm

apk-mitmarrow-up-right is a CLI application that prepares Android APK files for HTTPS inspection that automates the entire process. In the How it Worksarrow-up-right section you will find more details, but as a summary all you have to do is give it an APK file and apk-mitm will:

You can also use apk-mitm to patch apps using Android App Bundlearrow-up-right and rooting your phone is not required.

hashtag
Requirements

  1. Node JSarrow-up-right

  2. apk-mitmarrow-up-right

  3. Apktool

apk-mitm automates the entire process. All you have to do is give it an APK file and apk-mitm will:

hashtag
Install Node JS

hashtag
Install/update apk-mitm

hashtag
Patch APK

circle-exclamation

If the app uses Google Maps and the map is broken after patching, then the app's API key is probably restricted to the developer's certificatearrow-up-right. You'll have to create your own API keyarrow-up-right without restrictions and replace it in the app's AndroidManifest.xml file.

If apk-mitm crashes while decoding or encoding the issue is probably related to Apktoolarrow-up-right. Check their issues on GitHubarrow-up-right to find possible workarounds. If you happen to find an Apktool version that's not affected by the issue, you can instruct apk-mitm to use it by specifying the path of its JAR file through the --apktool option.

You can now install the example-patched.apk file on your Android device and use a proxy like Charlesarrow-up-right, mitmproxyarrow-up-right, Burp Suitearrow-up-right, etc, to look at the app's traffic.

hashtag
Install APK (from adb)

hashtag
How it Works

hashtag
Decode the APK file

Using Apktoolarrow-up-right

hashtag
Modify the app's AndroidManifest.xml

To make it debuggablearrow-up-right

hashtag
Modify the app's Network Security Configurationarrow-up-right

To allow user-added certificates. The Network Security Configuration feature lets apps customize their network security settings in a safe, declarative configuration file without modifying app code. These settings can be configured for specific domains and for a specific app. So you can customize which Certificate Authorities (CA) are trusted for an app's secure connections. For example, trusting particular self-signed certificates or restricting the set of public CAs that the app trusts.

Once your target APK is properly disassembled, look for AndroidManifest.xml at the root folder and add the following attribute to the application element:

That attribute points to the file res/xml/network_security_config.xml inside your project. If it doesn't, create it now and change its contents to be like this:

This rule tells the Android system to accept any system or user certificates, overriding default behavior. See this pagearrow-up-right for other overriding options.

hashtag
insert return-void opcodesarrow-up-right

To disable certificate pinningarrow-up-right logic

hashtag
Encode the patched APK file

Using Apktoolarrow-up-right

hashtag
Sign the patched APK file

Using uber-apk-signerarrow-up-right

PreviousBypass SSL Pinning - non-rooted devicesNextInstrumentation with Frida and Objection

Last updated