1> Is it possible to fetch the end-point of a http post request made from an android app?
2> Is it possible to fetch the parameters (key & value) of that request ?
If it is not possible to fetch the exact end-point & the parameter list for a post request made from an android device, can we assume that it is very hard to hack that particular end-point?
Edit 1 :
Say, in my android app, I am using an end-point like - http://abc.xyz.com/buyItem with 2 parameters : itemCode=value1, price=value2
(how)Can the url, parameter list & values be fetched by a hacker?
Yes it is possible to monitor network traffic and get those values.
It is pretty easy to set-up with something like a basic (cheap) network hub (not a switch) and a PC attached and a few network tools like tcpdump or ngrep.
A tcpdump example would be:
tcpdump -A -i eth3 > t.dump
Change eth3 to your network interface. You can look over the file t.dump in a text editor or use less or more.
NOTE: SSL / HTTPS connections are encrypted, so tcpdump will only give you parameters over HTTP.
There are other ways as well.
You could get lucky and simply unpack the apk and grep for something like ://. For example
grep -R '://' ./unpacked-apk/*
Update: Added a tcpdump example.
I would recommend using Fiddler for this purpose, it is a tool that has a nice UI and you would not need to write any complicated command line commands. Here is a documentation article on how to configure Fiddler to capture traffic on Nexus device.
Related
I am Android developer, my application uses a bunch of http REST calls and it gets responses from servers. I use Charles to inspect the data (so I have to install Charles certificate onto my device so that https traffic can be read by myself).
Are there any tools out there like Charles that will allow me to modfiy that response packet before sending to the client ??
Depending on what exactly you want to modify, Charles' inbuilt Rewrite Tool might be what you are looking for. You find it in the Tools menu. You can specify which requests shall be modified by protocol, host, port, path and query, and you have the following modification options:
Add, modify, remove headers (request and response)
Modify Host, Path, URL, Response Status
Add, modify, remove Query Parameters
Modify body (request and response)
Another option is Fiddler. Like Charles it can be configured as a proxy for android, decrypt HTTPS traffic and modify request and response.
Charles itself has the functionality. Follow the steps:
enable break points by right click on individual request or a path
Before sending the request, Charles will give you a change to edit it. See below. Click "edit request" to fill in whatever you want and click "execute" to send the request.
Before posting the result back to your mobile phone, you have a change to edit the content. See below.
You may try OWASP ZAP or Burp Suite. OWASP ZAP is completely free and provides a number of features.
See also Android : Capturing HTTP Requests with non-rooted android device.
I've recently tested HTTP Toolkit on Android emulator. It works and allows to capture and edit response from a server. Some functions are paid (in Pro version). Requires root priviledges on real devices.
You can also use Burp Suite or Fiddler.
I am confronting myself with a problem that I do not know how to interpret. I am doing a project using Android and Google App Engine. When I am trying to save information in Google App Engine's Big Table, directly from the servlet (hardcoded) - the save is performed with no problem. But when I am trying to save data from my Android device, the save is not performed and the log indicates Apache-HttpClient/UNAVAILABLE error. To be more specific:
405 55ms 0kb Apache-HttpClient/UNAVAILABLE (java 1.4)
82.155.246.249 - - [10/Jun/2013:05:20:59 -0700] "POST /servletnamehere HTTP/1.1" 405 306 - "Apache-HttpClient/UNAVAILABLE (java 1.4)" "appnamehere.appspot.com" ms=56 cpu_ms=21 cpm_usd=0.000034 app_engine_release=1.8.0 instance=00c61b117cede3f754aa1ece730dc88287a20199
I have seen that 405 HTTP error appears in the context of a POST method ( "405 errors often arise with the POST method. You may be trying to introduce some kind of input form on the Web site, but not all ISPs allow the POST method necessary to process the form." ) => indeed, I am trying to perform add (the object is a JPA Entity) in the database using a POST method. The data I am receiving from my Android device is serialized, through an input stream (in my case, working with JSON is not an option, these are the specifications).
Also, 306 HTTP error reffers to switch proxy. While the porevious error might be a bit intuitive, this one is beyond my student knowledge.
I have followed the instructions of this tutorial (http://trumpy.cs.elon.edu/joel/sigcse2011/), which is indeed what I need, but I really cannot figure out what I did wrong. I took again the procedure, stept by step, but I don't see the flaw.
Any help will be indeed appreciated. If I should post some code, I'll gladly do it.
Best wishes,
Cropcircles
LATER EDIT:
Now I get 417 HTTP error expectation failed. I have seen that I am supposed to set a certain parameter on false, but this workaround was available only for .NET. Is there anyone who knows what's the correspondent of the following, in Java? I am really really confused.
<system.net>
<settings>
<servicePointManager expect100Continue="false" />
</settings>
</system.net>
This is not an answer, but is too long for a comment and may be helpful, so here goes...
First, it's hard to tell what's going on here because there is limited info. Try to post more of the logging either on the client or on the server. Go to the server console and get more info, for instance, or add debugging in the client. I'd start by trying to make the POST from a debug/testing tool like hurl.it: http://www.hurl.it/ (hurl is a nice web front end to a command line HTTP client named curl, see curl itself if you want a more advanced peek). That way you can test and poke around and make SURE your server side works as you expect with a generic client. Then build other clients (like Android).
Second, "Apache-HttpClient/UNAVAILABLE" is not an error, it's just the user-agent String -- so ignore that part. (UNAVAILABLE is where the version typically is, but some impls don't have access to the version sometimes, it seems.)
Third, the 405 response code IS an error, it means POST is not allowed at the server you are trying to POST to. That can either be because POST is not allowed at all on said server, or you're violating some security policy (such as same origin).
If it's AppEngine, first check the APP you are using and make sure it supports POST (look for info on how to do POST at AppEngine to solve, for instance: google app engine: 405 method not allowed). When you say you can do it directly from a "servlet," do you mean that a POST from a different client works? (Servlet is a server side technology, so that's a little confusing.) If so then make sure your Android app is doing the client part the same way to the same host (multipart vs urlencoded, etc).
For a little more on the security stuff, which could be involved, see this post: Google App Engine + jQuery Ajax = 405 Method Not Allowed.
I've had the same trouble and in my case It was an error due to no write permission on server side area.
I was following an android test to write on a file a value transmitted in async way via POST method.
Apache received the POST request but was not able to write the data on the file due to security permission on it.
I am new to Android and want to use MQTT as push notifier for Android from Server.
i have read about MQTT but does not understand well. if any one has used this library so plz tell me what i have to do to start using it..
i have a Java Server (Running on Windows) and lots of Client(android phones on which my app will be installed). My server will send message to all or some specific clients at any time.
what are my basic requirement ? i mean is there
server requirement ?
some sort of registration ?
Library to include in android ?
identifier for Android device ? (as C2DM require Google account for each device)
plz help me in this regard
You need:
an MQTT broker which runs on the server side. This could be something like the mosquitto broker which is Open Source.
an MQTT client library which you include in your Android app, enabling your app to connect, subscribe, and publish messages. There are a number of Java options listed at http://mqtt.org/software
to come up with a way of uniquely identifying users or devices, and then use that as a topic so that you can individually publish a message to one device.
Dale Lane has written a nice guide on this (http://www.dalelane.co.uk/blog/?p=1599) and there is also a good set of resources about MQTT (https://github.com/mqtt/mqtt.github.io/wiki)
Basic Steps
Install the WAMP server with PHP (the version should be upper than
5.1.0)
As the WAMP server is installed, start the WAMP server(so that it
can get default configuration).
Open command prompt and change the directory to the PHP{version},
For Ex. Cd C:\wamp\bin\php\php5.3.0
[1] Install PEAR
Now we have to install the PHP PEAR (i.e. not installed by default)
by running the command below.
php -d phar.require_hash=0 ./PEAR/go-pear.phar
OR
php -d phar.require_hash=0 go-pear.phar
Now check the directory PEAR under C:\wamp\bin\php\php5.3.0\PEAR
(Installed or Not).
Now in the Directory C:\wamp\bin\php\php5.3.0 there is PEAR_ENV.reg (Registry File) is create, so double click on that to change PHP.ini file with PEAR invironment
Now as pear is installed we have to run the following commands (Optional).
pear upgrade
pear install upgrade-channels
So the PEAR setup is now completed
[2] Install SAM (Simple Asynchronous Messaging)
To install SAM we have to Run the Following Command
Goto C:\wamp\bin\php\php5.3.0
Pecl install –B SAM
[3] Choose and Run Mosquitto or RSBM
Really Small Message Broker (RSMB) is a simple MQTT broker also
provided by IBM http://www.alphaworks.ibm.com/tech/rsmb. It runs on
port 1883 by default. In our architecture it accepts messages from
the server and passes them on to the right devices. RSMB can also be
replaced by the Mosquitto server http://mosquitto.atchoo.org/
lets go with the RSMB.
Download and goto Windows folder in rsmb ( your version )
Start Broker.exe
NOW YOUR SERVER IS CONFIGURED. YOU CAN USE IT FOR PUSH NOTIFICATION.
If you want to use MQTT for send push notification in android device then this demo will be best for you.
By using this example you can send push notification to your android device.
https://github.com/tokudu/AndroidPushNotificationsDemo
If you want to create your own Push service like LEADBOLT,AIRPUSH,etc.. then you have to required the following things.
[1] Configure your own server for send push notification.(like tokudu worked in PHP,WAMP)
For configure SERVER..
[A] Install PEAR
[B] Install SAM
[C] Configure SAM
[2] You need mosquitto or IMB's RSMB for selecting target Android device.
[3] You need some android code for receiving notification,send keep alive signals to server,create connection with server,etc... (Which can be found in TOKUDU example).
If you have any problem then tell me , i will definitely help you.
I am creating an aplication that involves an WebView. The thing is that I want to load the full page and not the mobile one, so I have changed the User Agent. Nevertheless there are pages that loads the mobile version.
Here are two versions of code that I have tried:
1.webview.getSettings().setUserAgentString("Mozila ");
2.
String DESKTOP_USERAGENT = webview.getSettings().getUserAgentString ();
DESKTOP_USERAGENT = DESKTOP_USERAGENT.replace("Mobile ","");
webview.getSettings().setUserAgentString(DESKTOP_USERAGENT);
This are exemples of webpages that loads the mobile version in any cases:
http://www.jurnalul.ro
http://www.androidzoom.com
1.Does anyone knows how I can trick the server and tell him I am using a desktop and not a mobile?
2.How does a website knows that I am using a mobile version?
Thank you very much,
Razvan
The problem may be that if you are using a device that your carrier is routing all your HTTP requests through a proxy, and that the proxy is changing the User-Agent. Check on the other end, with your own server, using nc -l 80 -vvv that your request is indeed sending the User-Agent that you have modified.
EDIT: Some specific troubleshooting steps
Forward a port 9090 on your router to your desktop machine or laptop.
Download netcat
Run netcat with the command "nc -l 9090 -vvv"
In your Android application's WebView, make an HTTP request with the User-Agent you are injecting to http://your.ip.address:9090
In the terminal you ran netcat, you will see the HTTP request dump in plain text. There you can check the HTTP header User-Agent to see if it has been changed by a proxy server or not.
You cannot test this stuff with Wireshark or Fiddler because it is happening in the WAN. You need to test it on the receiving end, either on a server, or on your own desktop machine.
webview.getSettings().setUserAgent(1);//for desktop 1 or mobil 0.
I'm writing a Lovefilm client for Android, and it's not going too badly except I keep having problems with the remote calls to retrieve data from the API.
Does anyone have any tips for debugging remote calls like this? Can I tcpdump on Android or is there a native way of doing it?
For example, I'm using the Scribe-java library for OAuth to access the Lovefilm API, I can authenticate find and retrieve a list of films on the users account fine when the device is running Gingerbread, but trying to retrieve the accessToken on Froyo causes a blank response & and apparent response code of -1, I'd like to be able to see what's going on under the cvers their.
Another example I'd like to be able to the raw http for is trying to run a search, I get and IOError that says "Received authentication challenge is null"
I've used Fiddler (http-proxy for debugging http calls) with the android emulator in these cases. Just start the proxy, and start the emulator with the correct proxy address (-http-proxy ).
Fiddler is the most useful option. On the emulator #Scythe answer will work, but on a real device you will need to set the proxy in the Apache Http Client. The following code will do that:
HttpHost proxy = new HttpHost("youripaddr", 8888);
params.setParameter(ConnRoutePNames.DEFAULT_PROXY, proxy);
If you are using https, fiddler is not so useful. In that case can enable the build in logging support in Apache Http Client. The following code does that:
Headers only:
java.util.logging.Logger apacheHeaderLog = java.util.logging.Logger.getLogger("org.apache.http.headers");
apacheHeaderLog.setLevel(java.util.logging.Level.FINEST);
Headers & Wire:
java.util.logging.Logger apacheWireLog = java.util.logging.Logger.getLogger("org.apache.http.wire");
apacheWireLog.setLevel(java.util.logging.Level.FINEST);
Note that this will have to have a java.util.logging Handler configured at finest level and the default handler is configured to log to logcat, which will filter DEBUG (finest) entries by default.
If your system can share the wi-fi connection you should be able to route packets from any device through your system and then using wireshark you can get monitor your calls or get a tcpdump.
Also , and more importantly , it would be best if you log your network calls and responses as suggested by #Matthew
Windows 7 wi-fi connection sharing : http://www.winsupersite.com/article/faqtip/windows-7-tip-of-the-week-use-wireless-hosted-networking-to-share-an-internet-connection-wirelessly.aspx
Since I always run into similar troubles and it seems a lot of people having the same issues over and over again I wrote up a quick tutorial for debugging client-server communication by using netcat and cURL.
That of course only works for the simplified case that you always 'fake' on side of the connection.
For eavesdropping you can use tools like tcpdump or Wireshark. Which will definitely be easier if you're able to run the server instance directly on your local machine.
Stetho is a great tool from FB which helps in debugging android Apps. You can have access to local data and have a check on your network using this.
http://facebook.github.io/stetho/