Is it possible to route android gmail app traffic through my own HTTP proxy?
I know that I can install certificates onto android phone but I am not sure if gmail app has hard coded certificate information?
I was able to use Fiddler with Android ICS by changing proxy settings on wi-fi network
Related
I have an android phone that I want to monitor the HTTP/https traffic using tools like CHARLES PROXY
but the phone not on the same network as the CHARLES PROXY host. is there a way to do that without using an external server?
There is no need for an external server. You need to route the traffic from your phone to the device where the intercepter is running. You could create a mitm setup with a tool like https://mitmproxy.org/. Btw you will need a routed phone, something like xposed-ProxyOn.. Then you can intercept app specific traffic. But if you try to intercept https traffic from apps they use certificate pinning you wont get a connection to the app server
I have installed and have been using charles proxy(4.5.6).
I am using Android 9.
Charles works on the Chrome pages (Instagram specifically):
but it does not work on the Instagram application:
and I always get that error when I am using the app.
Should I "Save Charles root certificate" and then install it on my phone? Also, why does Charles work on the Chrome but not on the Instagram app?
Instagram's app uses a technique known as SSL Certificate Pinning. Basically, this means they bundle information about the expected SSL certificate for the server into the app, and deny any connection that doesn't present that certificate. Because the certificate presented by Charles is not Instagram's certificate, the connection is denied by the Instagram app. In Chrome, it must rely on the browser's assessment of certificate trust, which will defer to certificates installed on the device - I assume you've already set up your device to trust the Charles Proxy SSL certificate, so because Chrome trusts it (because you told it to), the website works. There used to be a way to do key pinning in the browser, but it no longer works due to some issues that were discovered.
You can disable this certificate pinning in your Facebook account settings: https://www.facebook.com/whitehat/researcher-settings/
As for the details of their implementation, there are numerous articles online about how to disable the pinning in Instagram's app. I can't vouch for any of them in particular, as I haven't tried them, and I'm not sure how they would interact with the terms of service, but you could take a look at those for more information.
I have been working with Charles to monitor and debug network requests for my app and I would like to mention few points that would help you:
If you look at the documentation of Charles SSL Certificate for Android,
As of Android N, you need to add configuration to your app in order to have it trust the SSL certificates generated by Charles SSL Proxying. This means that you can only use SSL Proxying with apps that you control.
This restriction has been added by the Android framework itself to avoid exploits and hacks for more security. So, you cannot use Charles to montior or debug network requests of third party apps (in your case -Instagram) if you're having Android 7 (Nougat) or higher.
If you really want to do it, you can try connecting an Android phone with Android 6 (Marshmallow) or lower to see if it works for you.
If you want to debug your own app, your phone and the system running Charles should be on the same network and you need to setup proxy configuration in your phone's Wi-Fi settings.
First go to Charles -> Help -> SSL Proxying -> Install Charles Root Certificate on Mobile Device or Remote Browser
You'll see an info window like this:
Note the IP address mentioned in this window and go to your phone's Settings -> Wi-Fi -> Select your Wi-Fi network -> Edit
You'll find option called Proxy, it will be None by default, update it to Manual. You'll get two input fields for entering Hostname and Port, fill those details by looking at the IP mentioned in the Charles and Save it.
Another important point is, you'll need to install Charles Root Certificate on your phone. You can do it by visiting https://chls.pro/ssl from your phone's browser. It'll automatically download the certificate and will prompt you to install it. Make sure you're connected to Charles by following the 2nd step, otherwise it won't download the certificate automatically.
Once it's done, you're good to go!
There may be two reason for this
1) The instagram app is using network security configuration file which disabled the proxy servers
for more information read this website https://developer.android.com/training/articles/security-config
2) For checking payload of your own application you need to set proxy server
as https://community.tealiumiq.com/t5/Tealium-for-Android/Setting-up-Charles-to-Proxy-your-Android-Device/ta-p/5121
I am on a Windows PC and would like to monitor HTTPs traffic from my Android phone from a particular app. I installed Honeyproxy and set a proxy address on my android device using Proxy Settings app. I am able to see the GET traffic of my phone. Next, to get the HTTPS traffic, I installed the user trusted certificates as described here: http://wiki.cacert.org/FAQ/ImportRootCert#Android_Phones_.26_Tablets
I can confirm that I can see both certificates (root and class3) in the "user trusted certificates" list in Settings> Security. Next I ran the honeyproxy expecting to see the HTTPS traffic this time but there is none.
Further, no HTTPs link from the device opens (I get a certificate untrusted). What is the step I am missing? Do let me know your thoughts!
For a project working I need to inspect the HTTP requests sent and received from my Android device. I'm using this tool Fiddler2 to monitor the traffic. In order to get it working I had to pass the traffic through a proxy. Now my phone is a Huawei U8180. Its runs Android 2.2 so it doesn't have a direct way to proxy settings. I used this app called Proxy Settings to gain access to set the proxy settings.
It almost works. I can see the traffic say, if I navigate to a website using the proxy web browser in that app (The app comes with a proxy browser). But not using my phone's normal browser. Neither I can see any HTTP requests sent by any of my apps installed in my device.
If anyone has any experience using Fiddler2 with Android, I'd really appreciate your input. I'm open to try any other alternatives to accomplish this if you got any.
Thanks.
Typically, Android users will use a tool like iptables to capture traffic from apps that don't support a proxy setting. This has some implications for HTTPS decryption; see the Fiddler Discussion Group (Help > Fiddler Community) for discussion of how to adjust Fiddler's HTTPS settings to accommodate iptables-redirected HTTPS connections.
I want to monitor HTTPS traffic from my application to remote server. I am trying to follow this instruction and it works for HTTP (without s), but not for HTTPS.
What is wrong? Should I write some custom code in my application to use https-proxy ?
The easiest way to do this is to use CharlesProxy to proxy your device or emulator traffic for you. The only extra step you need to do is to install the CharlesProxy SSL certificate on your device/emulator which is very straight forward:
Download the certificate from Charles Proxy (it's in their help menu) and place it on your device, then install via security settings on your device.
You then configure your device or emulators network connection to use a manual proxy and set it to the Charles Proxy address and port. Enable SSL proxying and your SSL connections will be securely routed end-to-end via Charles and Charles will be able to show you the content of requests and responses in the clear.
I'm using WireShark for sniffing, it allow you to monitor and filter raw data. But because you using https and all transactions encrypted i suppose it can't help you. May be you can switch from https to http for debug, and later when all will be works fine change protocol back to https
Do you mean you can't see the traffic at all or do you get it encrypted? Is this a web application or native application? which Android version are you using? phone or emulator?
Normally, if you set up the proxy properly, you will get the traffic, but encrypted so you can't read it. In order to see the actual content in Fiddler you would need your device to trust Fiddler's root certificate (used to create fake certificates on the fly). See this:
http://www.fiddler2.com/fiddler/help/httpsdecryption.asp
Unfortunately, I have not found a way to add root certificates to an android device other than
rooting it and replacing the certificate store (like this)
https means http secure, so it obviously can't be sniffed so easily. what would be the point if it would be the same unsecure thing as normal http?
you have to learn a bit more about secure network comunications. or, long story short, at least you will have to learn how to use a specilly devised http proxy like charles http://www.charlesproxy.com/documentation/welcome/ so you will be able to monitor you own https traffic in a clear form.