Pokemon Go - 0.31.0 apk - Remove Certificate Pinning

[netops]

Uses:

This is only useful for those individuals who enjoy packet inspection/manipulation.

That being said, previously there was not an issue using your MITM proxy of choice to monitor/manipulate pokemon go traffic from your phone or otherwise. As of 0.31.0, certificate pinning has been enabled. There are already apps out there that allow you to bypass most certificate pinning without having to modify the APK it's self and are good for devices dedicated for testing, such as : https://github.com/iSECPartners/Android-SSL-TrustKiller

However, if your device is not solely a testing device, your next best option is to manually disable certificate pinning within the disassembled APK and then reassemble / sign it. Those instructions are below.

_______________________________________

Known Issues:

Google sign-in will not work, as the application has been modified and self-signed. It is considered invalid and your requests for login/auth fail

Pokemon club account is the go-to route for login and monitoring of packets

When first accessing the game, catching your first pokemon, naming your character, etc, do all of this without a MITM proxy enabled, or over 4g or similar. Once you are finished with the initial tutorial etc, you can then enable your MITM proxy and capture as normal.

________________________________________

Requirements:

apktool - used for disassembling apk and reassembling modified apk's
https://ibotpeaches.github.io/Apktool/install/

keytool - included in java sdk
Java SE - Downloads | Oracle Technology Network | Oracle

________________________________________

Disassemble

poke.apk is name of pokemon apk
folder/location is where you want the folder containing disassembled apk to go *example C:\Users\Example\Desktop\poke-dis*

apktool d poke.apk -o folder/location

_________________________________________

EDIT

The file that we want to edit is located here : C:\Users\Example\Desktop\poke-dis\smali\com\nianticlabs\nia\network\NianticTrustManager.smali

This is where certificate pinning is enforced on checkServerTrusted and checkClientTrusted methods

To fix this, each method should return void by default like shown below:

.method public checkServerTrusted([Ljava/security/cert/X509Certificate;Ljava/lang/String;)V
return-void
.locals 2
...

.method public checkClientTrusted([Ljava/security/cert/X509Certificate;Ljava/lang/String;)V
return-void
.locals 2
...
All code can be left alone inside the methods, just add return-void directly above the first instruction, as shown above.

_________________________________________

Rebuild

This will reassemble the apk with the modified code

locations can be renamed ofc

apktool b C:\Users\Example\Desktop\poke-dis -o C:\Users\Example\Desktop\poke-mod.apk


_________________________________________

SIGN APK

You have to have Java SDK installed for this to work
Typically found here *C:\Program Files (x86)\Java\your-jdk-installed-version-here\bin*

you are going to want to cd to the jdk bin folder for this in command prompt

**-keystore name-of-your-key.keystore can be modified if you choose to whatever name you choose, however if you change it the other commands will need to reflect this

keytool -genkey -v -keystore name-of-your-key.keystore -alias ownedcore -keyalg RSA -keysize 2048 -validity 10000

Going to ask you for some info after this, nothing matters other than the password, which you WILL use again


This signs your newly rebuilt apk with the key you generated with the previous command

jarsigner -verbose -sigalg SHA1withRSA -d igestalg SHA1 -keystore name-of-your-key.keystore C:\Users\Example\Desktop\poke-mod.apk ownedcore

_________________________________________

INSTALL

At this point you should be good to go ahead and install your newly created apk. From here, as stated at the begining of this post, a few known issues exist. Stay away from google sign-in, it simply will not work with a self-signed application. Using pokemon club account, make sure you finish initial tutorial, catch your first pokemon and name your character prior to enabling MITM proxy and capturing traffic. My recommedation would be to do all starting tuts and naming over 4g, then enable wifi, close/reopen game and you should auto-signin and be good to go capturing traffic with your favorite MITM proxy.