[kevinbowman]

From a quick look at the code, it seems to be doing something similar, except it does it for you. Here's a link to the Firefox bit, where it makes a custom Firefox profile and then injects a certificate into it: https://github.com/httptoolkit/httptoolkit-server/blob/maste...

I haven't seen the source for the .deb package, but in theory it could add a system cert at installation time. I don't know if it does, though.

[pimterry]

I'm the author, that's exactly it! The contents of that interceptors folder should give you an idea how it all works: https://github.com/httptoolkit/httptoolkit-server/tree/maste...

It actually doesn't install system certificates at all though. It doesn't change any system configuration whatsoever, and it doesn't need any admin/root privileges. The deb package doesn't do anything different to any others.

That's because the key differentiator of HTTP Toolkit vs Fiddler/Charles/mitmproxy etc, is that it provides targeted interception, rather than intercepting your entire system at once.

That works by injecting cert & proxy config into a single browser window, intercepting specific Android apps, targeting individual Docker containers etc. That way you get much less noisy intercepted traffic for your debugging, and you can freely add rules to rewrite/break traffic without interfering with anything else.

You can even open two HTTP Toolkit windows on one machine, and intercept things separately into each one.

If you want, you can still do the normal steps to do full system interception manually if you'd prefer that, but by default it uses entirely transient and permissionless targeted interception instead, and that's almost always the better approach.

[timdorr]

Does this work with cert pinning on Android? I was only ever able to bypass that by rooting my device and installing an Xposed module to bypass the pin check.

[pimterry]

There's a detailed Android guide here: https://httptoolkit.tech/docs/guides/android/

In short, most of the time you need to either:

- Connect an Android emulator or a rooted device to ADB, in which case HTTP Toolkit can do totally automated setup for you.

- Use a non-rooted device, and make some minor config changes to the target application (trivial if it's your own application, slightly more difficult if it's not).

That handles 99% of Android apps, which usually don't actually pin certificates - they generally rely on Android's built-in non-modifiable system certificate store instead.

Lots more detail on how this all works here: https://httptoolkit.tech/blog/intercepting-android-https/

For apps that really do manually pin certificates, I've also written a general purpose Frida script that covers most cases out of the box. There's a full guide with more detail here: https://httptoolkit.tech/blog/frida-certificate-pinning/. And if even that doesn't work, I've also written a "reverse engineering an Android app from scratch so you can write you own Frida script" guide here: https://httptoolkit.tech/blog/android-reverse-engineering/

[fomine3]

Your postings are awesome.

[cute_boi]

httptoolkit is best software in market that works so easily and can bypass certs pinning.

Here are steps: Download frida script from httptoolkit server and binary from frida github repo and download httptoolkit app in andriod. Here are my notes.

``` # Copy the server to the device adb push ./frida-server-$version-android-$arch /data/local/tmp/frida-server # ^Change this to match the name of the binary you just extracted

# Enable root access to the device adb root

# Make the server binary executable adb shell "chmod 755 /data/local/tmp/frida-server"

# Start the server on your device adb shell "/data/local/tmp/frida-server &"

pip3 install frida-tools frida-ps -U frida --no-pause -U -l ./frida.js -f com.appname

# derived from https://httptoolkit.tech/blog/frida-certificate-pinning/ ```

[e12e]

Frida? That's https://frida.re/ ?

[cute_boi]

yea :)

You can download server binaries from here https://github.com/frida/frida/releases

[kevinbowman]

Good to know, thanks for the confirmation!