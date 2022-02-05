A CLI application that automatically prepares Android APK files for HTTPS inspection
Inspecting a mobile app's HTTPS traffic using a proxy is probably the easiest way to figure out how it works. However, with the Network Security Configuration introduced in Android 7 and app developers trying to prevent MITM attacks using certificate pinning, getting an app to work with an HTTPS proxy has become quite tedious.
apk-mitm automates the entire process. All you have to do is give it an APK file and
apk-mitm will:
You can also use
apk-mitm to patch apps using Android App Bundle and rooting your phone is not required.
If you have an up-to-date version of Node.js (14+) and Java (8+), you can install
apk-mitm by running:
$ npm install -g apk-mitm
Once installed, you can run this command to patch an app:
$ apk-mitm <path-to-apk>
So, if your APK file is called
example.apk, you'd run:
$ apk-mitm example.apk
✔ Decoding APK file
✔ Modifying app manifest
✔ Replacing network security config
✔ Disabling certificate pinning
✔ Encoding patched APK file
✔ Signing patched APK file
Done! Patched APK: ./example-patched.apk
You can now install the
example-patched.apk file on your Android device and use a proxy like Charles or mitmproxy to look at the app's traffic.
You can also patch apps using Android App Bundle with
apk-mitm by providing it with a
*.xapk file (for example from APKPure) or a
*.apks file (which you can export yourself using SAI). If you're doing this on Linux, make sure that both
zip and
unzip are installed.
Sometimes you'll need to make manual changes to an app in order to get it to work. In these cases the
--wait option is what you need. Enabling it will make
apk-mitm wait before re-enconding the app, allowing you to make changes to the files in the temporary directory.
If you want to experiment with different changes to an APK, then using
--wait is probably not the most convenient option as it forces you to start from scratch every time you use it. In this case you might want to take a look at APKLab. It's an Android reverse engineering workbench built on top of VS Code that comes with
apk-mitm support and should allow you to iterate much more quickly.
On some devices (like Android TVs) you might not be able to add a new certificate to the system's root certificates. In those cases you can still add your proxy's certificate directly to the app's Network Security Config since that will work on any device. You can accomplish this by running
apk-mitm with the
--certificate flag set to the path of the certificate (
.pem or
.der file) used by your proxy.
If the app uses Google Maps and the map is broken after patching, then the app's API key is probably restricted to the developer's certificate. You'll have to create your own API key without restrictions and run
apk-mitm with the
--wait option to be able to replace the
com.google.android.geo.API_KEY value in the app's
AndroidManifest.xml file.
If
apk-mitm crashes while decoding or encoding the issue is probably related to Apktool. Check their issues on GitHub to find possible workarounds. If you happen to find an Apktool version that's not affected by the issue, you can instruct
apk-mitm to use it by specifying the path of its JAR file through the
--apktool option.
MIT © Niklas Higi
I have been using this to build patched apks ,this apk also works with proxy server, i have came-up with very few apks this works. All the issues/bugs or error are defined as proper messages to patch split apk and come up with detailed to point possible errors and keep going . It works well with proxy and over all easy to use and comes with good documentation.
I've used it to successfully build a patched apk that works with charles proxy. It works with few APKs I've tried but seems to break with Instagram APK. The error messages to patch split-apks were detailed enough to point to possible steps to get it working. All in all, a pretty handy tool that works well with Charles proxy.