This tool removes certificate pinning from APKs.
- Does not require root.
- Uses
frida-apkto mark app as debuggable. This is much less invasive than other approaches, onlyAndroidManifest.xmlis touched within the APK. - Includes a custom Java Debug Wire Protocol implementation to inject the Frida Gadget via ADB.
- Uses HTTPToolkit's excellent unpinning script to defeat certificate pinning.
- Already includes all native dependencies for Windows/Linux/macOS (
adb,apksigner,zipalign,aapt2). - Handles XAPKs by extracting the split APKs, unpinning them and installing them with
adb install-multiple.
The goal was not to build yet another unpinning tool, but to explore some newer avenues for non-rooted devices. Please shamelessly copy whatever idea you like into other tools. :-)
Using uv, you can install the tool with a single command:
uv tool install git+https://github.com/mitmproxy/android-unpinnerAlternatively, you can install it manually:
$ git clone https://github.com/mitmproxy/android-unpinner.git
$ cd android-unpinner
$ pip install -e .Connect your device via USB and run the following command.
$ android-unpinner all httptoolkit-pinning-demo.apk
See android-unpinner --help for further usage details.
You can pull APKs from your device using android-unpinner list-packages and android-unpinner get-apks.
Alternatively, you can download APKs from the internet, for example manually from apkpure.com or automatically
using apkeep.
Please keep in mind that for most unpinning hooks to function properly, it is
strongly advised to specify a custom script directory that includes your Frida
unpinning scripts using the --custom-script-dir option. Currently, some of
the built-in unpinning hooks may not work, as they rely on hooking most pinning
methods by accepting a specific SSL certificate, which is stored in the
CERT_PEM variable inside the builtin unpinning scripts.
Compared to using a rooted device, android-unpinner...
🟥 requires APK patching. 🟩 does not need to hide from root detection.
Compared to apk-mitm, android-unpinner...
🟥 requires active instrumentation from a desktop machine when launching the app.
🟩 allows more dynamic patching at runtime (thanks to Frida).
🟩 does less invasive APK patching, e.g. classes.dex stays as-is.
Compared to objection, android-unpinner...
🟥 supports only one feature (disable pinning) and no interactive analysis shell.
🟩 is easier to get started with, does not require additional dependencies.
🟩 does less invasive APK patching, e.g. classes.dex stays as-is.
Compared to frida + LIEF,
android-unpinner...
🟥 modifies AndroidManifest.xml
🟩 is easier to get started with, does not require additional dependencies.
🟩 Does not require that the application includes a native library.
This tool stands on the shoulders of giants.
httptoolkit-pinning-demo.apkis a copy of HTTP Toolkit's neat demo app available at https://github.com/httptoolkit/android-ssl-pinning-demo (Apache-2.0 License).scripts/httptoolkit-unpinner.jsis a copy of HTTP Toolkit's excellent unpinning script available at https://github.com/httptoolkit/frida-android-unpinning/ (AGPL License, Version 3.0 or later).android_unpinner/vendor/frida/contains the fantastic Frida gadgets available at https://frida.re/ (wxWindows Library Licence, Version 3.1).android_unpinner/vendor/frida-tools/is adapted from https://github.com/frida/frida-tools (wxWindows Library Licence, Version 3.1).android_unpinner/vendor/build_tools/is a copy of some of Android's build tools (seeNOTICE.txttherein for license).android_unpinner/vendor/platform_tools/is a copy of some of Android's platform tools (seeNOTICE.txttherein for license).- Code written here is licensed under the MIT license (https://github.com/mitmproxy/mitmproxy/blob/main/LICENSE).