Skip to content
Bypass Facebook/Instagram Certificate Pinning for Android
Python
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitignore Added TLS1.3 support for x86! Mar 6, 2019
README.md Update README.md Apr 29, 2019
patch.py Merge branch 'master' of https://github.com/tsarpaul/FBUnpinner Mar 22, 2019
requirements.txt Added requirements.txt Jan 15, 2019

README.md

FBUnpinner

Works for Instagram & Facebook

SUPPORTS:
TLS1.3 & TLS1.2 for x86/ARM32/ARM64
Instagram x86 currently does not work, feel free to open a pull request :)


A script to automate removing certificate pinning defense from Facebook applications.

TESTED FOR THE FOLLOWING APPS:

  • com.facebook.katana (Facebook for Android)
  • com.facebook.orca (Messenger)
  • com.facebook.lasso (Lasso)
  • com.instagram.android (Instagram for Android)

How-to

[REQUIRES ROOT]
  • Note: for Instagram replace lib-xzs/libcoldstart.so with lib-zstd/libliger.so
  1. Make sure you have run the desired Facebook application atleast once - what happens is that the cert pinning library (libcoldstart.so) is unpacked from an archive embedded in the APK.

  2. Get root shell in your device:

$(comp): adb shell
$(phone): su
  1. Pull libcoldstart.so from your desired Facebook application:
#(phone): cp /data/data/com.facebook.katana/lib-xzs/libcoldstart.so /sdcard/libcoldstart.so
#(phone): exit
$(phone): exit
$(comp): adb pull /sdcard/libcoldstart.so FBUnpinner/
  1. Patch the file:
$ python3 patch.py

OR:

$ python3 patch.py libliger.so libliger-patched.so
  1. Replace libcoldstart.so in the phone with the patched version:
$(comp): adb push libcoldstart-patched.so /sdcard/libcoldstart.so
$(comp): adb shell
$(phone): su
#(phone): cp /sdcard/libcoldstart.so /data/data/com.facebook.katana/lib-xzs/libcoldstart.so
#(phone): chmod 777 /data/data/com.facebook.katana/lib-xzs/libcoldstart.so
  1. (Optional) Setting up Burp to work with TLS 1.3 ("no cipher suites in common")
<path_to_jdk>/jdk-11.0.2.jdk/Contents/Home/bin/java -jar burpsuite_community.jar

TODO

A script to just patch an APK

Tested Emulators

Android Studio: Nexus_6_API_24 - Google APIs Intel Atom (x86)

Genymotion: Google Nexus 5X API 26 (x86)

Reference

https://serializethoughts.com/2016/08/18/bypassing-ssl-pinning-in-android-applications/
https://plainsec.org/how-to-bypass-instagram-ssl-pinning-on-android-v78/

You can’t perform that action at this time.