I'm trying to capture traffic from an app on an Android phone and although I've set the proxy on the phone and can capture all other internet traffic coming from the phone (using Charles Proxy), I can't see any traffic for this one app.
How is this done, and how can I capture the traffic?
UPDATE:
If you need help setting up a wifi hotspot from your computer, so you
can connect your phone to it and Wireshark the traffic, just look at
the following link for directions:
http://www.wi-fiplanet.com/tutorials/article.php/3849841/How-to-Create-Wireless-Hosted-Networks-in-Windows-7.htm
If you want help decompiling an IOS app to assembly, look at this
link: http://www.infointox.net/?tag=arm
If you want a better Dex to Java decompiler than dex2jar, check this
out: https://github.com/skylot/jadx
There're several ways:
Connect your phone to your internal wifi access point (before connecting check advanced options and set a manual proxy).. Note: this method do not work for all network data.. some connections ignore this setting.
(works on rooted phones only) Install 'Shark for Root' application on your device... it will capture ALL traffic.. it will generated dump files that can be analized on your PC using Wireshark software
The best way: Setup your PC as a wifi access point and make your android device to use this wifi connection, then sniff the traffic using the same Wireshark application.
I strongly recommend you use something like "CharlesProxy" (or similar). Be aware of 2 things when u setup the proxy (I hope it is an application you are developing, otherwise be sure of what you do cause it can be ILEGAL):
1 - If you want to attack from your Android/iOS phone to the proxy installed in your local computer, you need the proxy to be configured to use the local IP:PORT (which means CharlesProxy needs to be configured as an address as 192.168.x.x if using a normal wifi network). Then, the Android/iOS phone needs to be setting the proxy to the same IP:PORT
2 - If the app uses https, there are several ways to manage HTTPS connections:
a) If your application accepts ALL Certificates, then it is not a problem for whatever proxy to capture and decrypt the information.
b) If your application accepts only system (and trusted) certificates, you have to export the charlesproxy certificate to your Android phone and to add it into the list of user's trusted certificates.
c) If your application is correctly doing "Certificate pinning", you won't be able to capture the traffic, unless you have the private certificate of your server and you add it in both (your phone) and the proxy configuration.
Hope it helps!
Related
I'm trying to reverse engineer one Android app's traffic and it's using sockets, xmpp or something else, but not http(s) on some features. I know this because Charles does not see some requests, but data is definitely coming from the server for sure (e.g. chat messages).
Android allows to set http(s) proxy, not socks. ProxyDroid doesn't work on genymotion, because it's x86 and ProxyDroid doesn't support that. Tried Drony app on genymotion, which supposedly should allow socks proxy, but once I try turning it on, the whole emulator restarts (probably crashes).
So how do I sniff/trace/inspect sockets traffic on Genymotion/Android emulator?
You might have better luck by doing it on the host side, ie from the Windows/Mac/Linux machine running Genymotion.
The basics
Install Wireshark
Start Wireshark and select the network interface which connects you to the Internet (or to the server you are interested in). For me it is wlp1s0.
Tell Wireshark you only want traffic going from your device to the server you are interested by entering ip.dst == <server-ip> in the filter line. Now go back to your device and use the application which communicates with the server. Traffic should appear in Wireshark. Here I am browsing my web site, whose IP address is 5.135.144.176:
Note that if Wireshark knows about the protocol used by the server, you can filter it. Here is the same output with the http filter:
Watching only traffic from the device
With the current setup, if you access the server from your host, this traffic will be logged by Wireshark as well. To avoid that you need to do the following:
Configure your device in Bridge mode: stop the device, open its settings dialog and select Bridge:
Get the device IP address: restart the device, open the "Settings" application and go to "About phone > Status", note the IP address:
Add this IP address to the filter line in wireshark, like so: ip.src == <the-device-ip> and ip.dst == <the-server-ip>.
I've an android app installed on my phone (debug build) and a local dev server. The app is using GAE Endpoints. I've updated the API builder by adding
b.setRootUrl("http://[myIP]:8080/_ah/api");
However, the app cannot connect. I've verified the dev server is up and running.
As a test, I tped
http://localhost:8080/
in by browser and I get the api explorer, etc.
However, if I do
http://[myIP]:8080/
I get "this webpage is not available". So clearly that must be the root cause.
The way I get my IP address is by running ipconfig in a cmd.
I tried turning off my firewall but that didn't make any difference.
Any and all help much appreciated. Thank you.
Figured it out.
i have a router so need to go into my router settings and add a 'virtual server' (that feature may be called something else for your router) redirecting from my ROUTER ip address (not what you get from ipconfig), and a port (whatever you want, need to use it in the setRootUrl), to my server address (what you DO get from ipconfig) and the local dev server port (typically 8080)
when i start my server in Android Studio i need to specify address 0.0.0.0, can be easily done in Android Stuiod by editing the run config (don't forget to restart it after that change)
update b.setRootUrl to point to the router ip address from 1. and the port you picked in 1. as well (don't forget to rerun your app after the update which will re-install it on your phone)
disable firewall -- however that's unsafe so instead i've created a special rule for this connection. (when setting inbound rules, a big gotcha is that there are usually predefined rules to block ALL connections from Java SDK/JRE for all installed versions on your system which will take precedence. You would need to modify those: I wouldn't advise disabling the whole rule, but you can modify to specific ports as such Ports: 1-[your server port-1], [your server port + 1, 65535].
The combination of those four works for me. Hope this helps someone!
My scenario is as follow:
I'm working with an app development which a bug occurs in the app when it is in a different country than mine, and only there. The bug is related with a fail in an image download through an URL access. Right now, I haven't figured out yet what it can be. Some subjects I've already looked up are:
Its not related to internationalization and/or culture, because the code does not implement this;
Its not related to firewall/security access, because if the user in the other country opens the image's URL, he can look at the image;
Without rooting the device, is there is a way to remotely open and debug a given Android device, just like a SSH or a VNC?
Similar questions are:
Debugging android app on a device remotely
Remote Debugging
Well,
you can debug a device using a TCP/IP connection (I sometimes debug using WIFI at home). all you need to do is make sure the remote device is connected to the internet and is accessible to your PC with a direct TCP/IP connection.
As the Android device is connected in another location - you'll have to make sure your router's firewall allows outgoing connection for communications in the port ADB is using , and that the target Android device receives communications in that port (if it's behind a router - the router should allow connections under the righ port and forward all comm in that port to the android device).
in other words - you have to "tunnel" your communication to the target device. there are other tunneling solutions/products but I've never used them and I prefer the "manual" way
Good luck,
Dan
EDIT : in Android 11 - adb can work on WIFI natively : https://developer.android.com/studio/run/device#wireless
Perhaps you can have the user install something like aLogcat and have them send you a log with the failure.
Well as remotely debugging a device I don't know but you can use ACRA (Application Crash Report for Android) .
All you need is to set up a google doc, add the lib to your project and when the app crashes it will send a crash report to that google doc. See quick setup here
How can I capture mobile phone traffic on Wireshark?
Here are some suggestions:
For Android phones, any network: Root your phone, then install tcpdump on it. This app is a tcpdump wrapper that will install tcpdump and enable you to start captures using a GUI. Tip: You will need to make sure you supply the right interface name for the capture and this varies from one device to another, eg -i eth0 or -i tiwlan0 - or use -i any to log all interfaces
For Android 4.0+ phones: Android PCAP from Kismet uses the USB OTG interface to support packet capture without requiring root. I haven't tried this app, and there are some restrictions on the type of devices supported (see their page)
For Android phones: tPacketCapture uses the Android VPN service to intercept packets and capture them. I have used this app successfully, but it also seems to affect the performance with large traffic volumes (eg video streaming)
For IOS 5+ devices, any network: iOS 5 added a remote virtual interface (RVI) facility that lets you use Mac OS X packet trace programs to capture traces from an iOS device. See here for more details
For all phones, wi-fi only: Set up your Mac or PC as a wireless access point, then run wireshark on the computer.
For all phones, wi-fi only: Get a capture device that can sniff wi-fi. This has the advantage of giving you 802.11x headers as well, but you may miss some of the packets
Capture using a VPN server: Its fairly easy to set-up your own VPN server using OpenVPN. You can then route your traffic through your server by setting up the mobile device as a VPN client and capture the traffic on the server end.
In addition to rupello's excellent answer, a "dirty" but very effective trick:
For all phones, any (local) network: Set up your PC to Man-In-The-Middle your mobile device.
Use Ettercap to do ARP spoofing between your mobile device and your router, and all your mobile's traffic will appear in Wireshark. See this tutorial for set-up details
Another option which has not been suggested here is to run the app you want to monitor in the Android emulator from the Android SDK. You can then easily capture the traffic with wireshark on the same machine.
This was the easiest option for me.
Wireshark + OSX + iOS:
Great overview so far, but if you want specifics for Wireshark + OSX + iOS:
install Wireshark on your computer
connect iOS device to computer via USB cable
connect iOS device and computer to the same WiFi network
run this command in a OSX terminal window: rvictl -s x where x is the UDID of your iOS device. You can find the UDID of your iOS device via iTunes (make sure you are using the UDID and not the serial number).
goto Wireshark Capture->Options, a dialog box appears, click on the line rvi0 then press the Start button.
Now you will see all network traffic on the iOS device. It can be pretty overwhelming. A couple of pointers:
don't use iOS with a VPN, you don't be able to make sense of the encrypted traffic
use simple filters to focus on interesting traffic
ip.addr==204.144.14.134 views traffic with a source or destination address of 204.144.14.134
http views only http traffic
Here's a sample window depicting TCP traffic for for pdf download from 204.144.14.134:
For Android phone I used tPacketCapture:
https://play.google.com/store/apps/details?id=jp.co.taosoftware.android.packetcapture&hl=en
This app was a lifesaver I was debugging a problem with failure of SSL/TLS handshake on my Android app. Tried to setup ad hoc networking so I could use wireshark on my laptop. It did not work for me. This app quickly allowed me to capture network traffic, share it on my Google Drive so I could download on my laptop where I could examine it with Wireshark! Awesome and no root required!
Packet Capture Android app implements a VPN that logs all network traffic on the Android device. You don't need to setup any VPN/proxy server on your PC. Does not needs root. Supports SSL decryption which tPacketCapture does not. It also includes a good log viewer.
Preconditions: adb and wireshark is installed on your computer and you have a rooted android device.
Download tcpdump to ~/Downloads
adb push ~/Downloads/tcpdump /sdcard/
adb shell
su root
mv /sdcard/tcpdump /data/local/
cd /data/local/
chmod +x tcpdump
./tcpdump -vv -i any -s 0 -w /sdcard/dump.pcap
CTRL+C after you've captured enough packets.
exit
exit
adb pull /sdcard/dump.pcap ~/Downloads/
Now you can open the pcap file using Wireshark.
Install Fiddler on your PC and use it as a proxy on your Android device.
Source: http://www.cantoni.org/2013/11/06/capture-android-web-traffic-fiddler
Similarly to making your PC a wireless access point, but can be much easier, is using reverse tethering. If you happen to have an HTC phone they have a nice reverse-tethering option called "Internet pass-through", under the network/mobile network sharing settings. It routes all your traffic through your PC and you can just run Wireshark there.
Make your laptop a wifi hotspot for your phone (any) and connect it to internet. Sniff Traffic on your wifi interface using wireshark.
you will get to know a lot of anti privacy stuff!
As a Wireshark alternative/companion for Android, you can try my open source app PCAPdroid. On non-rooted devices, it uses the VPNService to capture the traffic with some limitations. On rooted devices, it works like a user-friendly tcpdump.
You can analyze connections and packets payload directly into the app, or export the traffic in PCAP format to analyze it on a PC with Wireshark. It has many other cool features, give it a try!
For Android, I previously used tPacketCapture but it didn't work well for an app streaming some video. I'm now using Shark. You need to be root to use it though.
It uses TCPDump (check the arguments you can pass) and creates a pcap file that can be read by Wireshark. The default arguments are usually good enough for me.
I had a similar problem that inspired me to develop an app that could help to capture traffic from an Android device. The app features SSH server that allows you to have traffic in Wireshark on the fly (sshdump wireshark component). As the app uses an OS feature called VPNService to capture traffic, it does not require the root access.
The app is in early Beta. If you have any issues/suggestions, do not hesitate to let me know.
Download From Play
Tutorial in which you could read additional details
For iOS Devices:
⦿ Open Terminal and simply write:
rvictl -s udid
it'll open an interface on Wireshark with a name, In my case its rvi0.
udid is iPhone's unique device id.
(How to find my iOS Device UDID)
I got this crazy idea that I don't know is possible or not... what I want to do is set up my phone as wifi access point, then allow people to connect to it, but handle all incoming http traffic myself.
So:
phone wifi in access point mode; open wifi network (this tidbit works - yes I know it's not officially supported but then I have no intention to distribute put this app on the open market or so, it works on my phone and that's good enough for me).
client can connect to the phone (e.g. my laptop: this also works).
when client tries to open an http connection to any random server, this has to be intercepted by my app and handled by a local web server. This is the point that I'm stuck on.
The web server part shouldn't be too hard; there are (open-source) web servers available. But getting the traffic to that web server, there is the problem.
The behaviour I'm after is a bit similar to what you get when connecting to some open hotspot, like hotel hotspots, that then redirect you to a login page. This intercepting of the connection request (I suspect I have to look at DNS requests?) is what I'm after.
I have seen an app that is doing this but they require the phone to be rooted. I'm hoping to find a way to do it without rooting the phone.
Wifi hotspots would usually use IPTables to redirect port 80/443 traffic to a local web server.
I have run squid on linux machines in the past on port 3128, then sent all port 80/443 traffic to squid. Then I used squid redirect any url that I didnt explicitly allow to a local web server.
IPTables is accessible on rooted android devices only though.
And I doubt there are many proxy servers available on android, so you would have to send HTTP traffic to a proxy server over the network connection.
Like has been said, you'll need IPTables, but you'll also need a proxy server, like Squid.
Google "transparent proxy with squid", or check here:
Linux: Setup a transparent proxy with Squid in three easy steps
you do not need to have a proxy, you just need a full LAMP stack on your device and IPtables, you can mark all packets that have not been authenticated to forward through to your local page, then using php change the rule for that IP address once the address has authenticated, you could do the same for mac addresses if you wish, you would then also need a daemon that periodically reset each exception