pimterry
commented
7 months ago If you're just unpinning (so the device is already being proxied and intercepted otherwise) then you only need config + android-certificate-unpinning.js, and you may find better results also using android-certificate-unpinning-fallback.js too.
If your device isn't already setup, and you want to do full interception, you can just use all the scripts, using the command from the README. In fact, even if the device is setup you can use that if you like, as long as the certificate, proxy host & port settings (in config.js) are the same as your device settings it won't cause any issues, and it might capture traffic that's not intercepted in other setups.
You mentioned Facebook specifically - unfortunately, that's not unpinning here. All Meta apps use their own native TLS library that's bundled with the app, ignoring all system APIs to do this, and so you'll need a totally different approach for that (either reverse engineering and hooking their specific native library, or finding somebody else who has done so). That's a very rare case though - for any normal Android app, this script should work fine.
Hey, First of all I'm very appreciative for everything you do on HTTP Toolkit it's been a lifesaver, user-friendly and many other qualifier but I don't to make it too much.
I wanted to know, in the context of using Genymotion with HTTP Toolkit and connecting via ADB to it, I want to bypass SSL pinning.
I've tried android-certificate-unpinning.js + config.js, but it seems like it's still blocked for the app I'm trying (Facebook).
My question is a bit more general, I want to know if I should combine scripts ? I read the description where it says you generally use a subset of scripts but I'm unsure if that means only 1 or possibly 2.
And what would be the ones we would usually combine together, thanks !