How to sniff HTTPS traffic from Android emulator to remote server ? - android

I want to monitor HTTPS traffic from my application to remote server. I am trying to follow this instruction and it works for HTTP (without s), but not for HTTPS.
What is wrong? Should I write some custom code in my application to use https-proxy ?

The easiest way to do this is to use CharlesProxy to proxy your device or emulator traffic for you. The only extra step you need to do is to install the CharlesProxy SSL certificate on your device/emulator which is very straight forward:
Download the certificate from Charles Proxy (it's in their help menu) and place it on your device, then install via security settings on your device.
You then configure your device or emulators network connection to use a manual proxy and set it to the Charles Proxy address and port. Enable SSL proxying and your SSL connections will be securely routed end-to-end via Charles and Charles will be able to show you the content of requests and responses in the clear.

I'm using WireShark for sniffing, it allow you to monitor and filter raw data. But because you using https and all transactions encrypted i suppose it can't help you. May be you can switch from https to http for debug, and later when all will be works fine change protocol back to https

Do you mean you can't see the traffic at all or do you get it encrypted? Is this a web application or native application? which Android version are you using? phone or emulator?
Normally, if you set up the proxy properly, you will get the traffic, but encrypted so you can't read it. In order to see the actual content in Fiddler you would need your device to trust Fiddler's root certificate (used to create fake certificates on the fly). See this:
http://www.fiddler2.com/fiddler/help/httpsdecryption.asp
Unfortunately, I have not found a way to add root certificates to an android device other than
rooting it and replacing the certificate store (like this)

https means http secure, so it obviously can't be sniffed so easily. what would be the point if it would be the same unsecure thing as normal http?
you have to learn a bit more about secure network comunications. or, long story short, at least you will have to learn how to use a specilly devised http proxy like charles http://www.charlesproxy.com/documentation/welcome/ so you will be able to monitor you own https traffic in a clear form.

Related

How to inspect data sent to server from android app

Can we check which data is sent to the server from an android app just like we can check request headers, form data etc in chrome dev tools??
There are several tools that help with that problem:
https://github.com/facebook/stetho (Here you can actually use chrome dev tools)
https://github.com/jgilfelt/chuck
https://www.charlesproxy.com/
More info: https://proandroiddev.com/various-methods-to-debug-http-traffic-in-the-android-application-8685b9183418
As I understand you need to read HTTP communication from another app. You need to set up proxy server on your local computer and then redirect traffic through that proxy on your phone. I use Proxyman (https://proxyman.io/). But remember that there are some limitations. First of all you will need to create your local SSL certificate and add it to trusted store on your phone, also you will probably need Android below 7 because they added some security configs for apps which makes it harder to sniff. Next thing is that some apps may pin their SSL certificates and despite your custom cert is in trusted store app may reject connection.

how to monitor the traffic of an android

I have an android phone that I want to monitor the HTTP/https traffic using tools like CHARLES PROXY
but the phone not on the same network as the CHARLES PROXY host. is there a way to do that without using an external server?
There is no need for an external server. You need to route the traffic from your phone to the device where the intercepter is running. You could create a mitm setup with a tool like https://mitmproxy.org/. Btw you will need a routed phone, something like xposed-ProxyOn.. Then you can intercept app specific traffic. But if you try to intercept https traffic from apps they use certificate pinning you wont get a connection to the app server

Reverse Engineering Native Apps by Intercepting Network Traffic With Charles 4?

the older pre-3.10 versions of Charles allow users to install a root certificate on their phones to help apps to allow SSL connections but the newer version has removed this feature. I am not sure if this is the reason why I wasn't able to POST successfully to the native app server.
For example I will get messages like SSLHandshake: Remote host closed connection during handshake
I suspect the root certificate is for the app on my phone to accept SSL connections from the server, but not for me to POST messages to the server.
Anyways, is there a method for me to set up SSL connections to POST?
P.S. I have added the server's url in my SSL list, and also enabled "transparent HTTP proxy." (I noticed that is not HTTPS, so perhaps Charles doesn't have transparent HTTPS feature?)
Update: I tried using mitmproxy and it worked. It looks like installing cer file to the phone is the right way to go but I am wondering why Charles removed this feature. I also think I might have missed something in the documentation. Perhaps Charles did generate a cer file in my system for me to download to the phone. If so, where can I find this file?
Yeah, all you need to do is to click help on the menu bar and then select save SSL or install SSL on mobile device and then browse to the url it gives you on your mobile browser to download the certificate.

How to log HTTP and HTTPS traffic for mobile devices like Android and iOS?

I have the following setup:
Mobile Clients (Android and iOS) are communicating with 3 servers directly using HTTPS rest requests with json body.
I want to host a server in the middle and send all requests when the application is used in one of the non-PROD environments and log every request and response. In real time the developers or QAs to open a web page and see in real time every activity the application is doing.
Also: Apply some filters, for example only requests to a specific address, or everything but specific address. Apply delays and change the request/response body or status code - like in Fiddler.
In order to achieve this today I have to host Fiddler or Charles proxy and setup the computer as proxy server to every device.
What can you advise me to use?
You can host a Fiddler proxy on your server. Also in the Fiddler settings, don't forget to mark the 'Decrypt HTTPS' setting if you want to see the HTTPS traffic.
Fiddler will give you a certificate which you will need to install on mobile devices so that Fiddler can decrypt HTTPS connections.
Set your proxy in the Wifi settings.
Make sure that your app uses the proxy settings which are set in the Wifi Settings. I have seen some apps which ignore the proxy settings.
you can setup a wifi proxy server and ask all the the devices to connect through that wifi proxy server...Now you can monitor traffic on that proxy server...
On Linux server you can use squid to setup wifi proxy -http://computernetworkingnotes.com/network-administrations/squid-server.html
To setup wifi proxy on android device go to Go to Settings/Wi-Fi-> "Show advanced options"-> "Proxy settings" and choose "manual"

Using Fiddler2 HTTP request inspector with an Android device

For a project working I need to inspect the HTTP requests sent and received from my Android device. I'm using this tool Fiddler2 to monitor the traffic. In order to get it working I had to pass the traffic through a proxy. Now my phone is a Huawei U8180. Its runs Android 2.2 so it doesn't have a direct way to proxy settings. I used this app called Proxy Settings to gain access to set the proxy settings.
It almost works. I can see the traffic say, if I navigate to a website using the proxy web browser in that app (The app comes with a proxy browser). But not using my phone's normal browser. Neither I can see any HTTP requests sent by any of my apps installed in my device.
If anyone has any experience using Fiddler2 with Android, I'd really appreciate your input. I'm open to try any other alternatives to accomplish this if you got any.
Thanks.
Typically, Android users will use a tool like iptables to capture traffic from apps that don't support a proxy setting. This has some implications for HTTPS decryption; see the Fiddler Discussion Group (Help > Fiddler Community) for discussion of how to adjust Fiddler's HTTPS settings to accommodate iptables-redirected HTTPS connections.

Categories

Resources