Android Unpinner

This tool removes certificate pinning from APKs.

Work in progress. Highlights include:

  • Does not require root.
  • Uses frida-apk to mark app as debuggable.
    This is much less invasive than other approaches, classes.dex and all resources remain unmodified.
  • Includes a new/custom Java Debug Wire Protocol Implementation to inject the Frida Gadget via ADB.
  • Uses HTTPToolkit’s unpinning script to defeat certificate pinning
    (https://github.com/httptoolkit/frida-android-unpinning)
  • Already includes all native dependencies (adb, apksigner, zipalign, aapt2) for Windows/Linux/macOS.

The goal is not to build yet another unpinning tool, but to explore some newer avenues.
Hopefully the good parts are copied by the existing tools. 🙂

Usage

Prerequisites: Connect your phone via USB/start your emulator and then obtain the APK you are interested in.

$ android-unpinner run pinning-demo.apk

screenshot

Comparison

Compared to apk-mitm:

🟥 Requires active instrumentation from a desktop machine when launching the app.
🟩 The apk patching however is much less invasive, classes.dex stays as-is.
🟩 Frida potentially allows more dynamic/better patching at runtime.

Compared to objection:

🟥 No interactive analysis.
🟩 Easier to get started, no additional dependencies.
🟩 The apk patching is much less invasive, classes.dex stays as-is.

Compared to frida + LIEF:

🟩 Does not require that the application has a native library.
🟥 Modifies AndroidManifest.xml

Licensing

Please note that android_unpinner/vendor is a hodgepodge of different licenses.
Everything new here is licensed under MIT (in particular jdwplib.py).

GitHub

View Github