Android app

[Dano10291]

Hi, is there a way to get mpd streams from an android apk. The streams seem to be protected. I’ve tried many things and nothing worked. Thanks.

[lovedownload]

same issue. please help.

[Baldrick]

Maybe some more details.... Or else will i delete this thread.

[Dano10291]

It’s an android app that encapsules the streams into websocket.

[arthur12]

Try PCAPdroid for android and dns_query_sniffer for computer.
These only return the initial part of the URLs.
I was also looking for something that could retrieve the complete URLs...

[Dano10291]

Hi Arthur, I’ve already tried Pcapdroid, but the traffic is shown as was, websocket. I’ve tried even Frida, but I’m not very into it, so maybe I didn’t use it properly. Thanks for the response anyway.

[Silv3r]

Advices from grok

1. Capture the MPD URL and Traffic While the App is Running (Easiest First Step)

Use a proxy tool on your Android device:
HttpCanary, HTTP Toolkit, or PC-based proxies like Charles Proxy / Fiddler / Proxyman.
Install the proxy certificate on your device (enable SSL decryption).
Run the app, play the video, and filter the network log for .mpd, manifest, index.mpd, or DASH-related requests.

On-device browser alternative: Some people use Kiwi Browser (with dev tools) if the stream can be triggered there.
If the app uses SSL pinning (common in protected apps), the proxy won't see HTTPS traffic. You'll need to bypass it:
Repackage the APK with tools like apktool + objection / Frida scripts for pinning bypass.
Or use Frida (dynamic instrumentation) to hook network calls at runtime without full repackaging.


Once you have the MPD URL, test it in a player like VLC, mpv, or dash.js in a browser. If it's protected, you'll see encryption flags (e.g., cenc protection scheme, PSSH box for Widevine).
2. Reverse Engineer the APK to Find the MPD Logic
If traffic capture fails:

Decompile the APK:
Use APKTool to decode resources and smali.
Use JADX or Ghidra / jadx-gui for readable Java/Kotlin code.

Search for strings like:
"mpd", "manifest", ".mpd", "dash", "widevine", "license", "pssh", "exo player" (common player for DASH on Android).
Look in classes handling video playback (often ExoPlayer, MediaPlayer with DRM, or custom players).

You might find hardcoded URLs, API endpoints that return the MPD, or how the app constructs the manifest URL (e.g., via tokens, device IDs, or auth).

This requires some Java/Android knowledge. Tools like Frida can also hook methods at runtime to log URLs or parameters being passed to the player.

more advices

Recommended Easiest Setup Right Now (2026-friendly)
Use HTTP Toolkit + a universal Frida pinning bypass. It's GUI-based and handles most of the complexity.

Install HTTP Toolkit on your computer (free version is enough) → https://httptoolkit.com
It has built-in Android support and one-click Frida integration.

On your Android device (preferably rooted for simplicity; if not rooted, we can try gadget mode later):
Enable USB debugging.
Install the latest Frida server:
Download from https://github.com/frida/frida/releases (get the frida-server for your architecture, usually arm64).
Push and run it:textadb push frida-server /data/local/tmp/
adb shell "chmod 755 /data/local/tmp/frida-server"
adb shell "/data/local/tmp/frida-server &"


Get a good universal bypass script (these still work great in 2026):
The most reliable ones are:
HTTP Toolkit's own: https://github.com/httptoolkit/frida-interception-and-unpinning (download android/android-certificate-unpinning.js and config.js)
Or the classic from Frida Codeshare: pcipolloni/universal-android-ssl-pinning-bypass-with-frida
Another strong one: akabe1/frida-multiple-unpinning

Save the .js file(s) on your computer.
Launch the app with Frida bypass via HTTP Toolkit (easiest):
In HTTP Toolkit, go to Android interception → it can auto-inject Frida.
Or manually:textfrida -U -f com.your.app.package.name -l path/to/android-certificate-unpinning.js --no-pause(Replace com.your.app.package.name with the actual package — find it in settings or with frida-ps -U)

Start intercepting:
In HTTP Toolkit (or Burp/Charles if you prefer), you should now see decrypted HTTPS + WebSocket traffic.
Play the video in the app.
Look for:
WebSocket frames (they often contain JSON with "mpd", "manifest", "url", or base64-encoded links).
Any regular HTTPS requests to .mpd endpoints (now fully visible with query params/tokens).



If WebSocket is still the main issue
Once decrypted, WebSocket messages will show in the proxy tool as readable text/JSON. Search inside them for the MPD string. Many apps send something like:
JSON{"type": "stream", "url": "https://cdn.example.com/video.mpd?token=xyz..."}
Alternative if Frida feels too fiddly

Try apk-mitm to repackage the APK (removes pinning permanently):textnpm install -g apk-mitm
apk-mitm your-app.apkInstall the patched APK and use any proxy (HttpCanary, HTTP Toolkit, etc.).
Or stick with HttpCanary + root + its built-in decryption, but force it to capture WebSocket payload (some versions show WS data after enabling full packet view).

Next steps if this still doesn't reveal the full MPD

Decompile the APK with jadx-gui and search for ExoPlayer / DASH / MPD / WebSocket related classes. The code that builds or receives the manifest URL is usually there.
Hook specific methods with Frida (e.g., hook ExoPlayer's setMediaItem or WebSocket onMessage to log the URLs).

To give you even more precise commands/scripts, could you share:

Is your device rooted? (Magisk?)
Android version?
The app's package name (e.g., com.company.app — you can find it in App Info or with adb shell pm list packages)?

That way I can tailor the exact Frida command or suggest a more targeted hook (e.g., for WebSocket onMessage).
This combo (Frida unpinning + proper proxy) solves the "only partial URLs / WebSocket" problem for the vast majority of protected streaming apps. Let me know what happens when you try it — we'll iterate from there.

[Dano10291]

Hi silv3r. First of all, thank you very much for the great answer. I really appreciate it. I’ll take me some time to put this in practice given my extremely limited knowledge. When I do, I’ll tell you the result. About your questions. I have magisk, android 15 and the package is org.drive_hunter.

[lovedownload]

I am using Sky Go and captured m3u8 links but download couldn't be muxed due to invalid data in N_m3u8DL-RE.

How can I obtain key directly in Windows not via browsers.