/Instagram_SSL_Pinning

Bypass Instagram SSL Pinning on Android

GNU General Public License v3.0GPL-3.0

Instagram SSL Pinning

Bypass Instagram SSL Pinning on Android (ARM, x86 and AArch64) Version 237.0.0.14.102

Do you like this project? Support it by donating

  • Bitcoin: bc1qfr59gu23rxurhj8aarerx3y6gmh546kf88cte6

  • Ethereum: 0xbCdC08E42B31ECB9a97749F69BCce7AcE6834cAC

  • Dogecoin: DEvEGbjmKw8v2Rka9JbKVWMBepXfZh95Zf

  • Buy me a coffee

Requirements

  • The latest version of JDK (Download)

  • The latest version of (Burp Suite) or (mitmproxy)

  • Instagram APK (ARM - x86 - AArch64) - For root method only
    Download only from these links, not Google Play or somewhere else

  • a rooted Android device (Physical or virtual) - For root method only
    Genymotion Android 8+ recommended.
    Genymotion virtual devices is x86 and rooted by default.

  • ADB (Download) - For root method only
    Genymotion will install ADB automatically, and you can find it on <Genymotion Installation path>/tools

Non-Root Method (Recommended)

Instructions

  1. Download and install patched APK (ARM - x86)
    ARM on a physical device or ARM on Genymotion Android 8-Oreo with ARM Translation strongly recommended!

    1.2. For x86 only, Open Instagram app (wait a few seconds) and close it.
    It's important to run Instagram app once, before setting the proxy!

  2. Run Burp Suite with /<JDK Installation path>/bin/java -jar burpsuite_community.jar and setting up proxy on your Android device.
    Don't forget to turn off the Burp proxy intercept from Proxy > Intercept tab
    You should install Burp Suite certificate on your Android device

  3. That's it! Now open the Instagram app on your device and intercept the requests in Burp Suite !

Root Method

Watch tutorial video

Instructions (It's important to do step by step)

  1. Download and install Instagram apk on your device.

  2. Open Instagram app (wait a few seconds) and close it.
    It's important to run Instagram app once, before start patching!

  3. Download the patched file (ARM - x86 - AArch64) and push it to the device:
    ARM, x86 and AArch64: adb push libliger.so /data/data/com.instagram.android/lib-compressed/libliger.so

  4. Open Instagram app again (wait a few seconds) and close it.

  5. Run Burp Suite with /<JDK Installation path>/bin/java -jar burpsuite_community.jar and setting up proxy on your Android device.
    You must set the proxy in this step
    Don't forget to turn off the Burp proxy intercept from Proxy > Intercept tab
    You should install Burp Suite certificate on your Android device

  6. That's it! Now open the Instagram app and intercept the requests in Burp Suite !

Instagram Signature Key for ARM and x86

  • v136.0.0.34.124: 46024e8f31e295869a0e861eaed42cb1dd8454b55232d85f6c6764365079374b
  • Instagram does not sign requests in versions newer than 136.0.0.34.124, it's just SIGNATURE string.
    Example: signed_body=SIGNATURE.{"phone_id":"51df5a24-e59e-46cd-bc01-fe658aba9f18","_csrftoken":"mPzWvJ399rqCxOY5rn6Bggq7oOcFkf6U","usage":"prefill"}