Admin, Security

Intercept https communication from an Android application

Leave a comment

Many Android applications communicate with severs using some form of REST API secured with TLS/SSL (so it’s  “https” protocol).  If it is your application or an open source application you know what’s going on from the source, but for third party application you still may be wondering (hopefully for legit reasons:-), what is this application sending to the server and what it gets back.  With help of few free tools it’s fairly easy to monitor encrypted traffic on your local computer (linux, but it will work on other systems too).

What is needed

Android SDK ( I downloaded it as part of Android Studio, but you can download only command line tools)
mitmproxy (special proxy that can help to decrypt https using “Man in the Middle” approach)
openssl tool (normally available in your linux distro, in Ubuntu install with sudo apt install openssl)

Setup

  • Install mitmproxy
  • Run it 
    mitmproxy --set stream_large_bodies=1m
  • Test it in local browser on an unencryped site to see how it works (set proxy in the browser to localhost:8080)
  • Get Android application .apk file
    There are many approaches, you can use some internet service, or use adb to extract from your phone via USB cable, or create an android emulator with Google Play, install application there and use adb to extract (same approach as in previous case).
  • Create emulator from bare android image (no Google Play and APIs), thus you will be able to get root access easily.
  • Now you need to install root certificate of mitmproxy dummy CA to the android image in the emulator into system wide certificates : 
    cd ~/Android/Sdk/platform-tools

# prepare key  compatible with Android
# this first commad will give you hash code used in following commands to name the fiile
openssl x509 -inform PEM -subject_hash_old -in ~/.mitmproxy/mitmproxy-ca.pem | head -1
cat ~/.mitmproxy/mitmproxy-ca.pem > c8750f0d.0 
openssl x509 -inform PEM -text -in ~/.mitmproxy/mitmproxy-ca.pem -out /dev/null >> c8750f0d.0

# in other terminal start emulator with writable /system volume
cd ~/Android/Sdk/emulator
./emulator -writable-system @Nougat_bare

# and back in first terminal use adb tool
./adb root
./adb push c8750f0d.0 /storage/emulated/0/Download
./adb shell

# in the Android shell
mount -o rw,remount /system
cp /storage/emulated/0/Download/c8750f0d.0 /system/etc/security/cacerts/
chmod 644 /system/etc/security/cacerts/c8750f0d.0

reboot

     

  •  Check on Android Settings/Security/Trusted credentials – there should be CA certificate with name mitmproxy
  • Now you restart emulator with proxy settings: 
    ./emulator -http-proxy http://localhost:8080 -writable-system @Nougat_bare
  • See traffic from the Android application in the mitmproxy

Alternative setups

I’ve found above described setup easiest, but you might need different setup for various reasons:

  • The application might ignore http_proxy settings intentionally – then you’ll need to set mitmproxy into transparent proxy mode
  • You can intercept traffic from physical phone, if you set your computer as wifi AP – setup is described here. You’ll need rooted device to install there system wide root certificate.

Results

If everything went OK you’ll be able to learn a bit more about application of your choice. For instance I learned that application was sending some information to facebook although it was not advertised anywhere and I do not have facebook account:

mitm

 

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *