I'm trying to create some sort of SDK that we intercept each request from my app regardless of which HTTP client it's using (be it native HttpURLConnection, OkHttp, Retrofit etc.). And including traffic from third-party libraries like Firebase Analytics etc.
I need to intercept and check few parameters then decide whether to allow or block current request.
I don't want to use any Custom VPN as it has some side effects like showing system level Notification and all traffic from the user device.
Is it possible to capture all requests by setting app level proxy?
If possible, How to achieve it in code?
You can use Retrofit
The retrofit will save your development time, And also you can keep your code in developer friendly. Retrofit has given almost all the API's to make a server call and to receive a response. internally they also use GSON to do the parsing. you can go through this link you will get more info Alos you can see the difference with other libs
You could give a try to implement a custom VPN with https://developer.android.com/reference/android/net/VpnService. With this you should be able to control which traffic is allowed to access the internet and which not. As you wrote, that you'll create an SDK, the implementors should know the side effects of VPNs in apps (ongoing system notification, every traffic is routet through that VPN, etc.)
Related
I'm developing an app and I use volley to fetch data from server in background . Can anyone see the urls I have used in my app?
If yes then how? and how can I prevent anyone from seeing them?
Yes, people could see what URLs are used. Specifically:
Users can decompile your app, and read the URLs from the decompiled source. Use an obfuscator such as Proguard to make this more difficult.
Users can also attach a debugger to your app at runtime, again revealing the data. Remember that the user has full control over the device and anything running on it.
Users can use a network traffic sniffer, eg Wireshark, or a firewall which logs all traffic, in order to see what your app is requestion. Make sure you're using HTTPS in order to make this harder. Make sure you also implement HTTPS correctly, especially, this means to not simply accept all certificates.
You cannot completely prevent people from seeing the URLs your app is using, since the app is running on the user's device, where the user can do anything he wants with it. You can only make it harder.
See also:
How to avoid reverse engineering of an APK file?
Android - Get the URL of a file being downloaded, which I answered a while back.
Yes, for example you can open chrome developer console and look at requests that are being made from your app if you are developing web app. In case of mobile app, everyone also can sniffer internet traffic, for example connecting to your own wifi router and listen to traffic, or use special tools like portswigger.
You cant prevent your urls from being revealed anyway, but you can use https in order to hide data you send.
Hope this ll help.
In my own app, I'm using various 3rd party SDKs that make network calls( HTTP requests) in some form or other. Without editing this code, can I write code separately within the application to intercept all GET and POST requests that my app is making?
I want to record these HTTP calls in my app
I am aware of using Fiddler and Charles proxy tools but that is outside the app but this won't work because I can't record these HTTP calls in my app.
Is there a way to do it?
EDIT: I am using Google Analytics SDK and Facebook SDK in my code. I want to monitor all the network calls these SDK's are making from my app
On non rooted phone you can use android OS proxy and redirect traffic. But some apps doesn't respect it. Makes direct connections. Some tweaking could be done. Use Drony with VPN mode to redirect all traffic to SandroProxy. Here is video how capture then traffic with SandroProxy SandroProxy with Chrome devtools SandroProxy can also capture pcapfiles. Can also make ssl mitm on pcap flow. from SandroProxy support
Try HTTP Toolkit - it's an open-source tool I've been building to do exactly this. It can automatically intercept traffic from an Android device, with no manual setup required, and then allows you to inspect & rewrite all HTTP traffic from your computer, like so:
To intercept HTTPS traffic from your app, you just need to either a) trust 'user' certificates in your application's network security configuration (see https://stackoverflow.com/a/38770284/68051) or b) use an emulator or rooted device (in which case HTTP Toolkit can inject a 'system' certificate, which your app will trust automatically).
Charles proxy is a good way.
Others include if app is using singleton network class (which it ideally should), make one function for get and one for post. Call these functions from your classes and use log.d to output data on console. You can track request response or time taken.
If you are specifically looking for your app to be capable of recording the HTTP calls.
Android Snooper library can be the solution you are looking for.
Have you considered Stetho?
http://facebook.github.io/stetho/
You can monitor and modify all incoming and outgoing requests, among other things.
https://github.com/jgilfelt/chuck/
it adds a new app that send notifications each time a network request is made, and you can see the details of the request.
https://github.com/facebook/stetho
it allows you to use the chrome dev tools to monitor your requests created from an android app. (among other cool features)
If you root the device or running over debug (adb), then maybe this will help:
http://code.tutsplus.com/tutorials/analyzing-android-network-traffic--mobile-10663
Else I don't think its possible to do what you want to do. But you can monitor general network stuff like:
For all traffic stats see:
https://developer.android.com/reference/android/net/TrafficStats.html (just pass in your apps user id)
For monitoring network status:
https://developer.android.com/reference/android/net/ConnectivityManager.html
You Can use this as the better option. Remember to scroll down the app and check network intercept is on.
Link is here https://appetize.io/upload
I have a backend server, and want to provide an SDK for connecting to that backend server. The sdk is going to be built for iOS and Android and will ship as a library separate for those platforms.
The problem is I want to make sure that the requests are sent only using the sdk that I provide. Basically everybody knows that it is possible to monitor WEB requests using proxy applications like Fiddler or Charles proxy. And it is possible to usurp the requests and send those requests manually as many times as one wants.
For my scenario should be made impossible. So I need a way to identify in the backend that the request that I've received is for sure sent from my sdk. How can I achieve this?
EDIT1:
I can guess something like digipasses may be used. For instance when I log into my bank account I get one time password and log in. But that is based on time, and I can not count on the time of device. May be we can reuse the concept.
Thanks for answers!
I am beginning a project that will have three layers to it: a web front-end, a mobile front-end and WCF back-end. Authentication needs to be done via Active Directory, but both web front-ends will be using forms authentication to grant/reject access to certain areas, and all user control will be handled via groups inside AD. This specifically applies in the WCF side where I would like to be able to utilize the built-in Permission.Demand() functionality.
I have two questions with this. First, does anyone know of any best practice examples for doing this? Specifically in regards to passing the credentials (without the password) to the WCF service so it knows the context under which it is being accessed. Secondly, the future includes creating an Android app (and probably iPhone/Windows Phone versions as well) so I need to make sure the method used will work cross-platform with those.
set the PrincipalPermissionMode to Custom, write a custom Authorization Policy (http://msdn.microsoft.com/en-us/library/ms729794.aspx) and in the implementation of the Evaluate method do the following:
evaluationContext.Properties["Principal"]=HttpContext.Current.User;
http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/8f424d4f-2f47-4f85-a6b0-00f7e58871f1/
I have RESTful http api that my android application communicates with. Is there any way to ensure whether the request are made only from my application?
You could add custom http header at your applicaiton, and check it at the server. Though, this header might be sniffed and forged by malicious user. Then you could go further and do some public key authentication.
There isn't a 100% proof way to do what you want. You can monitor the user agent header, which will have specific values for Android devices. However, you could still see some Android devices not using an appropriate header. Also, no one stops a PC client from sending an Android-like user agent header.
You can do it with IP configuration, make a check with your IP. You can configure IP using your application server's configuration file or do it with pro-grammatically in your rest WS.