Many Android applications communicate with severs using some form of REST API secured with TLS/SSL (so it’s “https” protocol). If it is your application or an open source application you know what’s going on from the source, but for third party application you still may be wondering (hopefully for legit reasons:-), what is this application sending to the server and what it gets back. With help of few free tools it’s fairly easy to monitor encrypted traffic on your local computer (linux, but it will work on other systems too).
What is needed
Android SDK ( I downloaded it as part of Android Studio, but you can download only command line tools)
mitmproxy (special proxy that can help to decrypt https using “Man in the Middle” approach)
openssl tool (normally available in your linux distro, in Ubuntu install with
sudo apt install openssl)
- Install mitmproxy
- Run it
Shell1mitmproxy --set stream_large_bodies=1m
- Test it in local browser on an unencryped site to see how it works (set proxy in the browser to localhost:8080)
- Get Android application .apk file
There are many approaches, you can use some internet service, or use adb to extract from your phone via USB cable, or create an android emulator with Google Play, install application there and use adb to extract (same approach as in previous case).
- Create emulator from bare android image (no Google Play and APIs), thus you will be able to get root access easily.
- Now you need to install root certificate of mitmproxy dummy CA to the android image in the emulator into system wide certificates :
Shell1234567891011121314151617181920212223cd ~/Android/Sdk/platform-tools# prepare key compatible with Android# this first commad will give you hash code used in following commands to name the fiileopenssl x509 -inform PEM -subject_hash_old -in ~/.mitmproxy/mitmproxy-ca.pem | head -1cat ~/.mitmproxy/mitmproxy-ca.pem > c8750f0d.0openssl x509 -inform PEM -text -in ~/.mitmproxy/mitmproxy-ca.pem -out /dev/null >> c8750f0d.0# in other terminal start emulator with writable /system volumecd ~/Android/Sdk/emulator./emulator -writable-system @Nougat_bare# and back in first terminal use adb tool./adb root./adb push c8750f0d.0 /storage/emulated/0/Download./adb shell# in the Android shellmount -o rw,remount /systemcp /storage/emulated/0/Download/c8750f0d.0 /system/etc/security/cacerts/chmod 644 /system/etc/security/cacerts/c8750f0d.0reboot
- Check on Android
Settings/Security/Trusted credentials– there should be CA certificate with name mitmproxy
- Now you restart emulator with proxy settings:
Shell1./emulator -http-proxy http://localhost:8080 -writable-system @Nougat_bare
- See traffic from the Android application in the mitmproxy
I’ve found above described setup easiest, but you might need different setup for various reasons:
- The application might ignore
http_proxysettings intentionally – then you’ll need to set mitmproxy into transparent proxy mode
- You can intercept traffic from physical phone, if you set your computer as wifi AP – setup is described here. You’ll need rooted device to install there system wide root certificate.
If everything went OK you’ll be able to learn a bit more about application of your choice. For instance I learned that application was sending some information to facebook although it was not advertised anywhere and I do not have facebook account: