Inspecting a mobile app's HTTPS traffic is probably the easiest way to reverse-engineer its behavior. However, with the [Network Security Configuration](https://developer.android.com/training/articles/security-config) introduced in Android 7 and app devel
Inspecting a mobile app's HTTPS traffic is probably the easiest way to reverse-engineer its behavior. However, with the Network Security Configuration introduced in Android 7 and app developers trying to prevent MITM attacks using certificate pinning, getting an app to work with an HTTPS proxy has become quite tedious. apk-mitm automates the entire process: All you have to do is give it an APK file, apk-mitm will apply all the necessary changes for you and output an APK that's ready for MITM.
If you have an up-to-date version of Node.js (8.2+) and Java (8+), you can run this command to patch an app:
$ npx apk-mitm <path-to-apk>
So, if your APK file is called example.apk, you'd run:
$ npx apk-mitm example.apk
╭ apk-mitm v0.0.0
├ apktool commit 683fef3
╰ uber-apk-signer v1.1.0
✔ Decoding APK file
✔ Modifying app manifest
✔ Modifying network security config
✔ Disabling certificate pinning
✔ Encoding patched APK file
✔ Signing patched APK file
Done! Patched APK: ./example-patched.apk
You can now install the example-patched.apk file on your device and use a proxy like Charles or mitmproxy to look at the app's traffic.
If you open the patched app on your phone and get a dialog saying The app is missing required components and must be reinstalled from the Google Play Store, then the app is using Android App Bundle. This means that installing it through an APK is not going to work regardless of whether it has been patched by apk-mitm or not.
If the app uses Google Maps and the map is broken after patching, then the app's API key is probably restricted to the developer's certificate. You'll have to create your own API key without restrictions and replace it in the app's AndroidManifest.xml file.
If apk-mitm crashes while decoding or encoding the issue is probably related to Apktool. Check their issues on GitHub to find possible workarounds.
The above example used npx to download and execute apk-mitm without local installation. If you do want to fully install it, you can do that by running:
$ npm install -g apk-mitm
MIT © Niklas Higi
FAQs
A CLI application that automatically prepares Android APK files for HTTPS inspection
The npm package apk-mitm receives a total of 194 weekly downloads. As such, apk-mitm popularity was classified as not popular.
We found that apk-mitm demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Company News
Socket is joining TC54 to help develop standards for software supply chain security, contributing to the evolution of SBOMs, CycloneDX, and Package URL specifications.
Security News
PyPI now allows maintainers to archive projects, improving security and helping users make informed decisions about their dependencies.
Research
Security News
Malicious npm package postcss-optimizer delivers BeaverTail malware, targeting developer systems; similarities to past campaigns suggest a North Korean connection.