Bypass Instagram SSL Pinning on Android (ARM and x86
) Version 159.0.0.40.122
-
The latest version of JDK (Download)
-
Burp Suite v1.7.36 (*.jar version) (Download)
!!! Please DON'T USE CHARLES, FIDDLER OR MITMPROXY. Only use *.JAR VERSION of Burp Suit and ONLY VERSION 1.7.36, NOT v2 or v2020. And please run it with the LATEST VERSION OF JAVA !!! -
Instagram APK (ARM - x86) - For root method only
Download only from these links, not Google Play or somewhere else -
a rooted Android device (Physical or virtual) - For root method only
Genymotion Android 8+ recommended.
Genymotion virtual devices is x86 and rooted by default. -
ADB (Download) - For root method only
Genymotion will install ADB automatically, and you can find it on<Genymotion Installation path>/tools
-
Download and install patched APK (ARM - x86)
ARM on a physical device or ARM on Genymotion Android 8-Oreo with ARM Translation strongly recommended!1.2. For x86 only, Open Instagram app (wait a few seconds) and close it.
It's important to run Instagram app once, before setting the proxy! -
Run Burp Suite with
/<JDK Installation path>/bin/java -jar burpsuite_community.jar
and setting up proxy on your Android device.
You should install Burp Suite certificate on your Android device -
That's it! Now open the Instagram app on your device and intercept the requests in Burp Suite !
-
Download and install Instagram apk on your device.
-
Open Instagram app (wait a few seconds) and close it.
It's important to run Instagram app once, before start patching! -
Download the patched file (ARM - x86) and push it to the device:
ARM:adb push libliger.so /data/data/com.instagram.android/lib-superpack-zstd/libliger.so
x86:adb push libliger.so /data/data/com.instagram.android/lib-zstd/libliger.so
-
Open Instagram app again (wait a few seconds) and close it.
-
Run Burp Suite with
/<JDK Installation path>/bin/java -jar burpsuite_community.jar
and setting up proxy on your Android device.
You must set the proxy in this step
You should install Burp Suite certificate on your Android device -
That's it! Now open the Instagram app and intercept the requests in Burp Suite !
- v136.0.0.34.124:
46024e8f31e295869a0e861eaed42cb1dd8454b55232d85f6c6764365079374b
- Instagram does not sign requests in versions newer than 136.0.0.34.124, it's just
SIGNATURE
string.
Example:signed_body=SIGNATURE.{"phone_id":"51df5a24-e59e-46cd-bc01-fe658aba9f18","_csrftoken":"mPzWvJ399rqCxOY5rn6Bggq7oOcFkf6U","usage":"prefill"}
If you want to show your appreciation, you can donate via PayPal.
Iranian users can donate via IDPay.
Thanks.