A comprehensive guide to intercepting API traffic from Android apps using XAPK patching and proxy tools.
Table of Contents
- Prerequisites
- Understanding XAPK Format
- Downloading APKs
- Extracting XAPK
- Patching for SSL Bypass
- Installing Patched APK
- Proxy Configuration
- Troubleshooting
Prerequisites
- ADB (Android Debug Bridge) installed
- Node.js (for apk-mitm)
- Proxy tool: Proxyman, mitmproxy, Charles, or Burp Suite
- Android device with USB debugging enabled
- apk-mitm:
npm install -g apk-mitm - apkeep (optional): For downloading APKs from Play Store
Understanding XAPK Format
XAPK is an Android app package format that bundles:
| Component | Description |
|---|---|
| APK file | Standard Android application package |
| OBB files | Additional data files (textures, media, assets) |
| Split APKs | Architecture/density-specific code and resources |
Why XAPK exists
Google Play has a ~150MB limit for APKs. Large apps split into:
- Base APK: Core code and resources
- Config APKs: Architecture (arm64_v8a) and density (xxxhdpi) specific files
XAPK vs other formats
| Format | Contents |
|---|---|
| APK | Single app package |
| XAPK | APK + OBB expansion files or split APKs |
| APKS/APKM | Split APKs (App Bundle exports) |
Downloading APKs
Option 1: Using apkeep
# Install apkeep
cargo install apkeep
# Download from Play Store (requires auth)
apkeep -a com.example.app .
# Download specific version
apkeep -a com.example.app@1.2.3 .Option 2: From APKPure/APKMirror
Download XAPK files directly from:
Option 3: Export from device using SAI
- Install SAI (Split APKs Installer)
- Export installed app as
.apksfile - Transfer to computer
Extracting XAPK
XAPK is essentially a ZIP file. Extract it to see contents:
# Create extraction directory and extract
mkdir -p extracted
unzip app.xapk -d extracted/
# List contents
ls -la extracted/Typical XAPK structure
extracted/
├── com.example.app.apk # Base APK (main code + resources)
├── config.arm64_v8a.apk # Native libraries for ARM64
├── config.xxxhdpi.apk # Resources for high-DPI screens
├── icon.png # App icon
└── manifest.json # XAPK metadataReading manifest.json
cat extracted/manifest.jsonContains:
package_name: App package identifierversion_name: Human-readable versionversion_code: Internal version numbersplit_apks: List of APK files to installpermissions: Required Android permissions
Patching for SSL Bypass
Most apps use SSL certificate pinning to prevent traffic interception. We need to patch the APK to bypass this.
Using apk-mitm
# Install apk-mitm globally
npm install -g apk-mitm
# Patch XAPK bundle (recommended for split APKs)
apk-mitm app.xapk
# Or patch single APK
apk-mitm app.apkWhat apk-mitm does
- Decodes the APK using apktool
- Modifies AndroidManifest.xml to allow user certificates
- Replaces network security config to trust user CA certs
- Patches Smali code to disable certificate pinning:
- OkHttp CertificatePinner
- HostnameVerifier checks
- Custom pinning implementations
- Re-encodes and signs the APK
Output
./app-patched.xapk # For XAPK input
./app-patched.apk # For APK inputInstalling Patched APK
For Split APKs (from XAPK)
# Extract patched XAPK
mkdir -p patched
unzip app-patched.xapk -d patched/
# Uninstall original app first (if installed)
adb uninstall com.example.app
# Install all split APKs together
adb install-multiple \
patched/com.example.app.apk \
patched/config.arm64_v8a.apk \
patched/config.xxxhdpi.apkFor Single APK
# Uninstall original
adb uninstall com.example.app
# Install patched version
adb install app-patched.apkCommon Installation Errors
| Error | Solution |
|---|---|
INSTALL_FAILED_MISSING_SPLIT | Use install-multiple with all split APKs |
INSTALL_FAILED_UPDATE_INCOMPATIBLE | Uninstall original app first |
INSTALL_FAILED_VERIFICATION_FAILURE | Disable Play Protect temporarily |
Proxy Configuration
Step 1: Set up proxy on Mac
Proxyman:
- Open Proxyman
- Note the IP and port (default: 9090)
- Certificate → Install on Android
mitmproxy:
mitmproxy -p 8080
# or for web interface
mitmweb -p 8080Step 2: Configure Android proxy via ADB
# Set global proxy (works system-wide, no root needed)
adb shell settings put global http_proxy <mac-ip>:<port>
# Example
adb shell settings put global http_proxy 192.168.29.102:9090
# Verify proxy is set
adb shell settings get global http_proxyStep 3: Install CA Certificate
Open browser on device and visit:
| Proxy Tool | Certificate URL |
|---|---|
| Proxyman | http://proxy.man/ssl |
| mitmproxy | http://mitm.it |
| Charles | http://chls.pro/ssl |
| Burp Suite | http://burp/cert |
Download and install the certificate:
- Settings → Security → Install from storage
- Or: Settings → Security → Encryption & credentials → Install a certificate
Step 4: Verify proxy is working
# Open cert download page via ADB
adb shell am start -a android.intent.action.VIEW -d "http://proxy.man/ssl"If the page loads, proxy is working correctly.
Step 5: Remove proxy when done
adb shell settings put global http_proxy :0Troubleshooting
Proxy not working
-
Check devices are on same network
# Get Mac IP ipconfig getifaddr en0 # Ping from Android adb shell ping <mac-ip> -
Check proxy is running
- Ensure Proxyman/mitmproxy is open
- Check it’s listening on the correct port
-
Check firewall
- System Preferences → Security & Privacy → Firewall
- Allow incoming connections for proxy app
Still seeing “Certificate error” in app
-
Verify patched APK is installed
adb shell pm list packages | grep com.example.app -
Check CA cert is installed
- Settings → Security → Trusted credentials → User tab
-
App may have additional pinning
- Some apps use custom pinning beyond OkHttp
- Try Frida + objection for runtime bypass
App crashes after patching
- Integrity checks: Some apps verify their own signature
- Root detection: App may detect tampering
- Solution: Use Frida to bypass at runtime
Quick Reference
Complete workflow
# 1. Extract XAPK
unzip app.xapk -d extracted/
# 2. Patch for SSL bypass
apk-mitm app.xapk
# 3. Extract patched XAPK
unzip app-patched.xapk -d patched/
# 4. Install on device
adb uninstall com.example.app
adb install-multiple patched/*.apk
# 5. Set proxy
adb shell settings put global http_proxy 192.168.x.x:9090
# 6. Install CA cert (open in device browser)
# http://proxy.man/ssl
# 7. Launch app and intercept traffic!
# 8. Remove proxy when done
adb shell settings put global http_proxy :0Useful ADB commands
# List connected devices
adb devices
# Check current proxy
adb shell settings get global http_proxy
# Launch app
adb shell am start -n com.example.app/.MainActivity
# Find launcher activity
adb shell cmd package resolve-activity --brief com.example.app
# List installed packages
adb shell pm list packages | grep keyword
# Uninstall app
adb uninstall com.example.app
# Open URL in browser
adb shell am start -a android.intent.action.VIEW -d "http://example.com"
# Open WiFi settings
adb shell am start -a android.settings.WIFI_SETTINGSTools Reference
| Tool | Purpose | Install |
|---|---|---|
| apk-mitm | Patch APK to bypass SSL pinning | npm install -g apk-mitm |
| apkeep | Download APKs from Play Store | cargo install apkeep |
| Proxyman | macOS proxy with GUI | https://proxyman.io |
| mitmproxy | CLI/web proxy | brew install mitmproxy |
| Frida | Runtime instrumentation | pip install frida-tools |
| objection | Frida wrapper for mobile | pip install objection |
Security Notice
This guide is intended for:
- Security research and authorized penetration testing
- Debugging your own applications
- Educational purposes
Always obtain proper authorization before intercepting network traffic from applications you don’t own.