As you know, a lot of request (images, scripts, AJAX, etc.) are send when loading a single page. So I need to get all those request and inspect them.
So the question would be: How can I inspect the HTTP requests that are made when a WebView loads a page ?
I want: headers, method, status code, response, cookies.
Right now, I have:
public void onLoadResource(WebView view, String url){
Log.d("my-tag", "onLoadResource = " + url );
}
But that only shows me the URL.
The best you can get in your app is the WebViewClient.shouldInterceptRequest method, but that only has the URL. You currently can't get any of the things you've listed.
For debugging you can use Chrome DevTools if you're using Android 4.4.
Look here: https://gist.github.com/kibotu/32313b957cd01258cf67 where you get the http headers at android >=21
The easiest way is to use a proxy. I use Charles, but I'm sure there are others. On the device, go to the WiFi settings, long click the one you're connected to, select "modify network" and enable the advanced options. There you'll be abel to configure the proxy settings for the whole device.
Related
I'm developing an Android application, it is like a browser, has a web-view and sends http(s) requests. For debugging purpose, I want to be able to see the requests sent and received by the application (in particular the headers), but I'm unable to do so.
What i tried
I mainly debug the app with Chrome on PC, and use the Network Inspector in Chrome. The problem is that my app uses the ShouldInterceptRequest to intercept the requests an then manually sends a request with cronet. Chrome, in this case, shows some "provisional headers" that are from the original request, an not the headers of the actual request i sent manually.
I tried to use Fiddler and HTTP Toolkit, but the server I'm communicating with, doesn't like the certificate they use, so they can monitor correctly, but, if active, i cannot reach the page i need to monitor.
I also tried the Android Studio network inspector, but seems it work only for HttpURLConnection and Okhttp(1)
Thanks for your time.
If you're using a WebView, set a custom WebViewClient and override shouldInterceptRequest. That will pass in a WebResourceRequest object that will include all headers.
recently some one told me that he retrieves all the url requests from my android application and he sent them to me .
I'm using proguard in my application but he told me there are some ways that he can monitor the url requests .
I'm using URLConnection in my application .
how can I hide the url requests and somehow encrypt the urls so no one can read and access my url requestes ?
You can't. It's quite easy to use a proxy to catch all network traffic and check what you are using. If the problem is related with the content, then you can switch from http to https, but the host will be always visible. Actually as user I would be really scared about an app that want to hide such information however.
USE https instead of http, it is secured.
Try with HTTPS and add SSL(TSL) pinning to the network call.
I am Android developer, my application uses a bunch of http REST calls and it gets responses from servers. I use Charles to inspect the data (so I have to install Charles certificate onto my device so that https traffic can be read by myself).
Are there any tools out there like Charles that will allow me to modfiy that response packet before sending to the client ??
Depending on what exactly you want to modify, Charles' inbuilt Rewrite Tool might be what you are looking for. You find it in the Tools menu. You can specify which requests shall be modified by protocol, host, port, path and query, and you have the following modification options:
Add, modify, remove headers (request and response)
Modify Host, Path, URL, Response Status
Add, modify, remove Query Parameters
Modify body (request and response)
Another option is Fiddler. Like Charles it can be configured as a proxy for android, decrypt HTTPS traffic and modify request and response.
Charles itself has the functionality. Follow the steps:
enable break points by right click on individual request or a path
Before sending the request, Charles will give you a change to edit it. See below. Click "edit request" to fill in whatever you want and click "execute" to send the request.
Before posting the result back to your mobile phone, you have a change to edit the content. See below.
You may try OWASP ZAP or Burp Suite. OWASP ZAP is completely free and provides a number of features.
See also Android : Capturing HTTP Requests with non-rooted android device.
I've recently tested HTTP Toolkit on Android emulator. It works and allows to capture and edit response from a server. Some functions are paid (in Pro version). Requires root priviledges on real devices.
You can also use Burp Suite or Fiddler.
Is there a way to make a faked http post request from desktop, but looks like from a real iOS/Android hardware(i.e. iPhone 5s 6.7 square inches, Samsung Galaxy 5.1-inch)?
I have no clue what’s the difference between the requests from deferent device(header,body...), how can a server know where the request from?
Thanks a lot. Merry Christmas.
The only difference is User-Agent.
You should easily be able to change it in your request, whatever the request is.
When your browser makes a request, among different headers there is a "User-Agent" header containing details of your browser and your OS. Take a look here and here.
I would use a REST Client like Postman for Chrome to send a POST Request along with the "User-Agent" string of my choice.
You can also use Chrome Developer Tools (opens with ctrl+shift+i in Windows) for the emulation feature that lets you emulate among a variety of devices. More info about that here.
With the emulation method in Chrome you can easily hit your server/webpage like you would normally by typing the URL in your browser (GET requests) from any of the available devices.
I am attempting to use AndroidAnnotation's rest client to access a web service. I am receiving the following error:
org.springframework.http.converter.HttpMessageNotReadableException:
Could not read JSON: Unexpected character ('f' (code 102)):
was expecting double-quote to start field name
How can I make the rest client log the actual response it received? I can't imagine why my web service is returning this response, but I can't debug it unless I can see the full response. Do I have to set some kind of option at the level of the Spring framework?
I would also like to see the body of the request I am sending.
Thanks for your help!
Here we see that AndroidAnnotations is a wrapper around the Spring Android RestTemplate Module. The code for the RestTemplate is here. So we can find out which TAG is used for logging:
private static final String TAG = "RestTemplate";
Are you not able to see log entries for this TAG? Which converter / extractor are you using? Please post the call stack.
In the wiki they recommend to use a Interceptor for logging request / response. So you could implement your own interceptor like:
public class LoggingInterceptor implements ClientHttpRequestInterceptor {
#Override
public ClientHttpResponse intercept(HttpRequest request, byte[] data, ClientHttpRequestExecution execution) throws IOException {
logRequest(request);
ClientHttpResponse response = execution.execute(request, data);
logResponse(response);
return response;
}
private void logRequest(HttpRequest request) {
// log it
}
private void logResponse(ClientHttpResponse response) {
// log it
}
}
You enable the interceptor in the #Rest annotation (field interceptors).
While I do not use AndroidAnnotations and cannot answer your question directly, I would like to propose an alternative solution. You could use a great little utility program called Fiddler. It can do wonders for debugging networking activity, whether it be requests, responses, HTTP headers or practically anything else that would matter in a REST API communication.
You can find a full tutorial on how to setup your environment to use Fiddler here, but to name a few crucial steps (credit goes to the linked page, you can also find helpful pictures there)
Setup Fiddler:
Click menu Tools | Fiddler Options, then select the Connections tab
Make note of the “Fiddler listens on” port (normally it’s 8888)
Make sure the check box for “Allow remote computer to connect” is checked
Switch to the HTTPS tab
Make sure the check boxes for “Capture HTTPS Connects” and “Decrypt HTTPS traffic” are both checked
Restart Fiddler
Make note of the PC’s IP address Close non essential apps on the Windows PC (to minimize web traffic being routed through Fiddler)
Setup your device:
Tap on Settings, then Wi-Fi
Find the network on which you’re connected (normally the first one listed), then tap and hold
Choose Modify network from the pop-up
Scroll down and enable “Show advanced options”
Change “Proxy settings” to Manual
Under “Proxy host name” enter the Windows PC IP address from above
Under “Proxy port” enter the Fiddler port from above (usually 8888)
Tap Save and wait a moment for the network to reconnect
Now you will see all the needed details for your REST API calls which makes debugging much easier.