Sunday, 23 September 2018

Capture HTTPS Traffic from Android Apps (7.0 and above!)


Howdy internet, today's post will detail the specifics of how to capture HTTPS traffic from Android apps using a program called Fiddler running on your PC. 

This may aid you in writing your own custom APIs, whatever-bots, or in simply inspecting how a particular application works by taking a look at the webrequests it generates.

I've also made a video tutorial explaining the entire process if you're interested in that.



Part 1/2: Setting up Fiddler on PC

Fiddler is free to download, so go right ahead — https://www.telerik.com/fiddler
Once installed, open up Fiddler and go to File -> Enable Capture Traffic. Now, open up a browser and visit any random website to make sure that Fiddler is setup properly and that your requests are being captured.


If the requests corresponding to the website you visited have been captured like this, it means everything's working great so far.

Now, go to Tools -> Options -> Connections, and make sure 'Allow remote computers to connect' is checked. Also, note down the port number on which Fiddler is running.



Fire up a command prompt window and run the 'ipconfig' command and note down the IP address of your PC.


Once that is done, we're ready to get started with the Android section.


Part 2/2: Configuring Android to allow packet capture

First thing's first, make sure both your PC and Android device are on the same local network. On your Android device, go to WiFi settings.

Now, long press on your access point name, and select Modify Network.

In the popup box, select Advanced options. You should now have the option to setup a proxy.

Set the Proxy to Manual. In the Proxy hostname field, enter the IP address of your PC (that you noted down earlier), and in the Proxy port field, enter the port number on which Fiddler is running, and hit Save.



Open up a webbrowser on your Android device and navigate to the following url — ipv4.fiddler:8888



If it launches the "Fiddler Echo Service" page, it means the proxy was setup correctly. We now need to add Fiddler's certificate to the Android device's trusted certificates list for it to be able to decrypt HTTPS traffic. To do this, simply download the FiddlerRoot certificate from the bottom of the Echo Service page, and launch it. It will ask you if you want to add it to the list of trusted certificates, hit yes.

You should now be able to decrypt any HTTPS browser webrequests, fantastic.
But you'll notice that if you try to capture traffic from any app, you get nothing on Fiddler. This is because from Android 7.0 (Nougat) onward, apps do not trust user-added CAs by default. (Read more: here)
Hence, apps refuse to route their traffic with the Fiddler certificate.

Unfortunately, the only solution to this is to modify the apk itself. Fortunately, that's not a very difficult task.

First, go ahead and download your desired apk file on your PC. My preferred source is https://www.apkmirror.com/

Next, install APKTool on your PC using the instructions provided on the page.

Now, open up a command prompt window and navigate to the directory of your apk file and use the following command to decode the apk file into its corresponding resources.



Once decoded, open up the newly created directory and open the AndroidManifest.xml file with a text editor.
Locate the application tag, and add the following attribute:
android:networkSecurityConfig="@xml/network_security_config"

Save and exit. Now, navigate to the /res/xml directory and create a new file with the name network_security_config.xml and paste the following content in it.

Go back to your command prompt window and build the new apk file using the following command:
apktool b directory_name -o newfilename.apk
This will create a new apk file that trusts user-added CAs. Transfer it onto your Android device, but don't bother trying to install it just yet. The apk needs to be signed before it can be installed.
Go ahead and install apk-signer off of the Playstore: https://play.google.com/store/apps/details?id=com.haibison.apksigner



...and use it to sign your new apk file. You should now be able to install the app without any problems.

Now, launch the app on your Android device and take a look at Fiddler on your PC to see the captured requests!


Voilà! It's that simple. Make sure you remove the Fiddler certificate once you're done with the packet capture by going to Settings -> Security & lock screen -> Credential storage -> Trusted credentials -> User, and selecting the Fiddler certificate. Also be sure to change your Wi-Fi proxy settings for normal usage.

Goodluck and Godspeed lads,
~ Arcanecfg
 

All the posts found in this blog are meant either for educational purposes or are the personal opinions of myself (Arcanecfg). I do not condone any illegal activities whatsoever. I cannot be held responsible for any actions the readers of this blog may perform with the knowledge attained from here (Wasted Wolf). These Terms and Conditions of Use apply to you when you view, access or otherwise use the blog located at www.WastedWolf.com.

Theme designed by mono-lab / Edited by Arcanecfg.

DMCA.com Protection Status
/ Wasted Wolf /