This tool removes certificate pinning from APKs.
- Does not require root.
- Uses
frida-apkto mark app as debuggable. This is much less invasive than other approaches, onlyAndroidManifest.xmlis touched within the APK. - Includes a custom Java Debug Wire Protocol implementation to inject the Frida Gadget via ADB.
- Uses HTTPToolkit's excellent unpinning script to defeat certificate pinning.
- Already includes all native dependencies for Windows/Linux/macOS (
adb,apksigner,zipalign,aapt2). - Handles XAPKs by extracting the split APKs, unpinning them and installing them with
adb install-multiple.
The goal was not to build yet another unpinning tool, but to explore some newer avenues for non-rooted devices. Please shamelessly copy whatever idea you like into other tools. :-)
Using uv, you can install the tool with a single command:
uv tool install git+https://github.com/mitmproxy/android-unpinnerAlternatively, you can install it manually:
$ git clone https://github.com/mitmproxy/android-unpinner.git
$ cd android-unpinner
$ pip install -e .Connect your device via USB and run the following command.
$ android-unpinner all httptoolkit-pinning-demo.apk
See android-unpinner --help for usage details.
You can pull APKs from your device using android-unpinner list-packages and android-unpinner get-apks.
Alternatively, you can download APKs from the internet, for example manually from apkpure.com or automatically
using apkeep.
Compared to using a rooted device, android-unpinner...
🟥 requires APK patching. 🟩 does not need to hide from root detection.
Compared to apk-mitm, android-unpinner...
🟥 requires active instrumentation from a desktop machine when launching the app.
🟩 allows more dynamic patching at runtime (thanks to Frida).
🟩 does less invasive APK patching, e.g. classes.dex stays as-is.
Compared to objection, android-unpinner...
🟥 supports only one feature (disable pinning) and no interactive analysis shell.
🟩 is easier to get started with, does not require additional dependencies.
🟩 does less invasive APK patching, e.g. classes.dex stays as-is.
Compared to frida + LIEF,
android-unpinner...
🟥 modifies AndroidManifest.xml
🟩 is easier to get started with, does not require additional dependencies.
🟩 Does not require that the application includes a native library.
This tool stands on the shoulders of giants.
httptoolkit-pinning-demo.apkis a copy of HTTP Toolkit's neat demo app available at https://github.com/httptoolkit/android-ssl-pinning-demo (Apache-2.0 License).scripts/httptoolkit-unpinner.jsis a copy of HTTP Toolkit's excellent unpinning script available at https://github.com/httptoolkit/frida-android-unpinning/ (AGPL License, Version 3.0 or later).android_unpinner/vendor/frida/contains the fantastic Frida gadgets available at https://frida.re/ (wxWindows Library Licence, Version 3.1).android_unpinner/vendor/frida-tools/is adapted from https://github.com/frida/frida-tools (wxWindows Library Licence, Version 3.1).android_unpinner/vendor/build_tools/is a copy of some of Android's build tools (seeNOTICE.txttherein for license).android_unpinner/vendor/platform_tools/is a copy of some of Android's platform tools (seeNOTICE.txttherein for license).- Code written here is licensed under the MIT license (https://github.com/mitmproxy/mitmproxy/blob/main/LICENSE).