FBUnpinner
Works for Instagram & Facebook
SUPPORTS:
TLS1.3 & TLS1.2 for x86/ARM32/ARM64
Instagram x86 currently does not work, feel free to open a pull request :)
A script to automate removing certificate pinning defense from Facebook applications.
TESTED FOR THE FOLLOWING APPS:
- com.facebook.katana (Facebook for Android)
- com.facebook.orca (Messenger)
- com.facebook.lasso (Lasso)
- com.instagram.android (Instagram for Android)
How-to
[REQUIRES ROOT]
- Note: for Instagram replace lib-xzs/libcoldstart.so with lib-zstd/libliger.so
-
Make sure you have run the desired Facebook application atleast once - what happens is that the cert pinning library (libcoldstart.so) is unpacked from an archive embedded in the APK.
-
Get root shell in your device:
$(comp): adb shell
$(phone): su
-
Pull libcoldstart.so from your desired Facebook application:
β Before version 255 path: /data/data/com.facebook.katana/lib-xzs/libcoldstart.so
#(phone): cp /data/data/com.facebook.katana/lib-superpack-xz/libcoldstart.so /sdcard/libcoldstart.so
#(phone): exit
$(phone): exit
$(comp): adb pull /sdcard/libcoldstart.so FBUnpinner/
- Patch the file:
$ python3 patch.py
OR:
$ python3 patch.py libliger.so libliger-patched.so
- Replace libcoldstart.so in the phone with the patched version:
$(comp): adb push libcoldstart-patched.so /sdcard/libcoldstart.so
$(comp): adb shell
$(phone): su
#(phone): cp /sdcard/libcoldstart.so /data/data/com.facebook.katana/lib-superpack-xz/libcoldstart.so
#(phone): chmod 777 /data/data/com.facebook.katana/lib-superpack-xz/libcoldstart.so
- (Optional) Setting up Burp to work with TLS 1.3 ("no cipher suites in common")
<path_to_jdk>/jdk-11.0.2.jdk/Contents/Home/bin/java -jar burpsuite_community.jar
TODO
A script to just patch an APK
Tested Emulators
Android Studio: Nexus_6_API_24 - Google APIs Intel Atom (x86)
Genymotion: Google Nexus 5X API 26 (x86)
Reference
https://serializethoughts.com/2016/08/18/bypassing-ssl-pinning-in-android-applications/
https://plainsec.org/how-to-bypass-instagram-ssl-pinning-on-android-v78/