Skip to content

Instantly share code, notes, and snippets.

Last active April 29, 2020 10:31
What would you like to do?
Modify certificate pinning for Australia Government Covidsafe Android Application
  1. Ensure your certificate for the MITM application is in PEM format. For example, Burp Suite generates the certificate in DER, so in this case, to convert from DER to PEM:
openssl x509 -inform der -in cacert.der -out cacert.pem

Note this certificate needs to also be installed on the Android device. Android expects DER format with the file extension .crt. If in doubt, consult

  1. Extract all three APKs. To avoid issues, -r is used.
apktool d -f -r
apktool d -f -r config.xxhdpi.apk
apktool d -f -r config.en.apk
  1. Replace one of the existing certs with the one used in the MITM application. For example, this one will do:

Remove all the text and replace the complete certificate with your own one that's also been installed on the Android device and used by your MITM application:

  1. Rebundle back into APKs (The config.xxhdpi.apk and config.en.apk we need to resign, hence why extracting them in the first place. There is probably another way to strip of the signature, but this will do.
apktool b config.en/ -o
apktool b config.xxhdpi/ -o
apktool b -o
  1. Download JDK to use the keytool program:

  2. Generate certificate for signing (Enter a password, don't forget it as it's needed in the next step)

keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000
  1. Sign all three APKs:
~/jdk-14.0.1/bin/jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore alias_name
~/jdk-14.0.1/bin/jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore alias_name
~/jdk-14.0.1/bin/jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore alias_name
  1. Install the APKs to the Android device. All three are needed, so we use install-multiple:
adb install-multiple

Now any HTTPS traffic sent from the app via in-line proxy, or by other means, e.g. sslstrip, will be visible in plain-text. The intention here is for dynamic analysis of your own device to understand how the software works. Please see the relevant legislation to understand what is and is not permitted:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment