├── Lab-pt.txt ├── README.md ├── _config.yml ├── imgs ├── AVD1-wifi-edit.png ├── AVD2-wifi-advanced.png ├── AVD3-wifi-proxy-manual.png ├── AVD4-wifi-proxy-config.png ├── AVD_httptoolkit.png ├── AVD_trusted_ca.png ├── httptoolkit-chrome.png ├── httptoolkit-view.png ├── httptoolkit.png ├── packetcapture1.png ├── packetcapture2.png ├── ssl-pinning-demo-all-green.png ├── ssl-pinning-demo-green.png ├── ssl-pinning-demo-greenv2.png └── ssl-pinning-demo-red.png └── temp.md /Lab-pt.txt: -------------------------------------------------------------------------------- 1 | #1 2 | Verificar qual é a arquitetura de CPU suportada pela APP que está a analizar no projeto de AFD2: 3 | - se for multi-plataforma (arm64-v8a, armeabi-v7a, x86, x86_64, ...) e suportar as instruções da Intel (x86) use o APK que já tem juntamente com o Android 10; 4 | - se for específica para arm (arm64-v8a, armeabi-v7a, ...) verifique se existe uma versão para CPUs intel, se existir uma versão para x86, então descarregue-a e instale-a no Android 10; 5 | - senão existir uma versão específica para x86, terá de usar a versão compilada para arm, mas com o **Android 9**. Esta versão possui um sistema de tradução arm -> x86 (o Android 11 tb tem este mecanismo, mas atualmente o Frida não funciona nesta versão) 6 | 7 | 8 | #2 9 | Instalar e configurar o Fiddler para interceptar as ligações do emulador: 10 | - testar a ligação Internet com o Chrome no Android 11 | - abrir a APP em análise e verficar se funciona: 12 | - se funcionar normalmente, a APP **não** usa a técnica de "Certificate Pinning" 13 | - senão funcionar, a APP **usa** a técnica de "Certificate Pinning" e tem de executar o passo #3 14 | 15 | 16 | #3 17 | (apenas para APPs com Certificate Pinning) 18 | 19 | Se a APP em análise usar "Certificate Pinning": 20 | - instalar e configurar o Frida 21 | - executar os comandos necessários para ativar o Frida na APP em estudo 22 | - testar novamente a APP: 23 | - se funcionar, o Frida foi capaz de contornar o mecanismo de Certificate Pinning 24 | - senão funcionar, a APP usa um sistema avançado de Certificate Pinning e de momento não é possível intercetar o tráfego dessa APP 25 | 26 | #4 27 | Interagir com a APP e verificar o tráfego gerado: 28 | - qual, ou quais, os endereços dos servidores aos quais a APP se ligou? 29 | - que tipo de informação foi enviada para esses servidores? 30 | 31 | --- 32 | 33 | Resto da aula: apoio ao projeto (no meu caso o demoraram a aula toda para chegarem até ao ponto 4) 34 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Tutorial: Android Network Traffic Interception 2 | How to intercept network trafic on Android 3 | 4 | | Version | 2023.03.31 | 5 | | :-: | :-- | 6 | | ![by-nc-sa](https://i.creativecommons.org/l/by-nc-sa/4.0/88x31.png) | This work is licensed under a [Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-nc-sa/4.0/) | 7 | 8 | ## Table of Contents 9 | 10 | - [Requirements](#requirements) 11 | - [Methods](#methods) 12 | - [Http Toolkit](#http-toolkit) 13 | - [Bypass Certificate Pinning](#bypass-certificate-pinning) 14 | - [Install Frida on the PC](#install-frida-on-the-pc) 15 | - [Install Frida on Android](#install-frida-on-android) 16 | - [Intercept networt traffic from APPS with certificate pinning](#intercept-networt-traffic-from-apps-with-certificate-pinning) 17 | - [Exercises](#exercises) 18 | - [Exercise 1](#exercise-1) 19 | - [Exercise 2 (Optional)](#exercise-2-optional) 20 | - [Recommended reading](#recommended-reading) 21 | 22 | ## Requirements 23 | 24 | In order to implement this tutorial you need to use one of these Android devices: 25 | 26 | - Android Virtual Device (AVD) -- see one of these tutorials: [Android Studio Emulator - GUI](https://labcif-tutorials.github.io/AndroidStudioEmulator-GUIconfig/), or [Android Studio Emulator - command line](https://labcif-tutorials.github.io/AndroidStudioEmulator-cmdConfig/) to learn how to set up an AVD; 27 | - Android 11 (API version 30) was used for this tutorial 28 | - or a physical smartphone with Android rooted. Rooting an Android device is beyond the scope of this tutorial, but you can read this [webpage](https://magiskmanager.com/) to learn more about it. 29 | - Python 3.x 30 | - Linux: already installed in most Linux distributions 31 | - Windows: download from [python.org](https://www.python.org/downloads/windows/) 32 | 33 | > ***NOTE*** 34 | > 35 | > The Android emulator uses the `x86`, or `x86_64` CPU instruction set. However, some APPs are compiled only for `arm`, or `arm64` CPU architectures. 36 | > If the APP you are analysing does not provide a version for `x86`, or `x86_64`, you need to use **Android 9**, or **Android 11** on the emulator, because these versions include a translation mechanism from `arm` instructions to `x86`. 37 | 38 | ## Methods 39 | 40 | To intercept the network traffic of an Android device we need a proxy. The proxy will act as Man-in-the-middle between the Android device and the servers it connects to. There are several ways to accomplish network traffic interception: 41 | 42 | - using a proxy on a computer, like [mitmproxy](https://mitmproxy.org/), or [PolarProxy](https://www.netresec.com/?page=PolarProxy); 43 | - using a fake VPN on Android to act like a proxy, like [Packet Capture](https://www.apkmirror.com/?s=packet+capture), or [HTTP Toolkit](https://httptoolkit.tech/). 44 | 45 | **Using a proxy on a computer** -- this method is a bit more complex to setup, but is the one that generally guarantees more flexibility to analyse the captured traffic. The main disadvantage is that all Android traffic is routed through the proxy and it's more difficult to find the packects related to the app we want to study. 46 | 47 | **Using a fake VPN on Android** -- this is the simplest way to intercept traffic, and it allows choosing just one app to be redirected and captured. On one hand, no root permission is required, on the other hand it might require extra steps to download the captured packets to a computer. 48 | 49 | ## Http Toolkit 50 | 51 | For this tutorial we are going to use HTTP Toolkit that sets up a fake VPN service. Download [HTTP Toolkit](https://httptoolkit.tech/) (it's available for Linux, MacOS and Windows) and then install it on your computer. 52 | 53 | Start Android Vistual Device (AVD) and open the HTTP Toolkit software. On the main window you'll see several options, select `Android Device via ADB`: 54 | 55 | ![](img/../imgs/httptoolkit.png) 56 | 57 | When the option `Android Device via ADB` is selected, several things happen behind the scenes: 58 | 59 | - the app `tech.httptoolkit.android.v1` is installed on the AVD 60 | - the `HTTP Toolkit CA` digital certificate is added to the `Trusted credentials`: 61 | 62 | ![](imgs/AVD_trusted_ca.png) 63 | 64 | - a fake VPN service is started on the AVD: 65 | 66 | ![](img/../imgs/AVD_httptoolkit.png) 67 | 68 | 69 | By default, HTTP Toolkit will intercept the network traffic from **ALL** apps and services installed on the AVD. However, we are going to analyse just one app, so let's change HTTP Toolkit configurations on the AVD: 70 | 71 | - click the button `All APPS` 72 | - on the 3 vertical dots menu choose `Disable all apps` 73 | - again on the 3 vertical dots menu, choose `Show system` 74 | - now, on the search bar type `chrome` and enable the capture: 75 | 76 | ![](imgs/httptoolkit-chrome.png) 77 | 78 | To generate some traffic, open the Chrome browser on the AVD and type `AFD2` (or something else) on the address bar and press enter. This will make a query to google search, and the HTTP Toolkit on the computer will show the captured network packets: 79 | 80 | ![](imgs/httptoolkit-view.png) 81 | 82 | However, you might not be able to access any website due to the Certificate Pinning protection. Keep reading to learn how to bypass it. 83 | 84 | > ***NOTE*** 85 | > 86 | > The HTTP Toolkit is an open source project hosted on [https://github.com/httptoolkit/httptoolkit](https://github.com/httptoolkit/httptoolkit). However, there are some features that are reserved for the paying costumers, namely the ability to save the captures into a file. This can be overcome by copy/paste the packets contents. Alernativelly, you can use `mitmproxy`, but the setup process is more complex. 87 | 88 | ## Bypass Certificate Pinning 89 | 90 | After the proxy is enabled and the digital certificates are properly configured, some APPS might still not work. That happens because they are able to detect that the digital certificate we are using is not the one they expect. This technique is called [certificate pinning](https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning). Certificate pinning is an extra step to protect SSL/TLS network traffic from Man-in-the-middle attacks, which we are trying to do. 91 | 92 | In order to bypass certificate pinning we need to dynammicly change the network traffic. We can use [Frida](https://frida.re/), an open source tool for dynamic interception and alteration of network traffic to bypass some certificate pinning security mechanisms. 93 | 94 | ### Install Frida on the PC 95 | 96 | To [install Frida](https://frida.re/docs/installation/) we need to have the latest Python 3.x. 97 | Let's install the latest `frida` version, which is presently 16.0.11. 98 | 99 | > ***NOTE*** 100 | > 101 | > In case you whish to have more than one version of `frida-tools` on the same computer 102 | > create first a Python virtual environment: 103 | > 104 | > ```Console 105 | > > pip install virtualenv 106 | > > virtualenv frida14 107 | > > source frida14/bin/activate 108 | > ``` 109 | 110 | Install `frida-tools` (the binaries are in the [Frida’s GitHub releases](https://github.com/frida/frida/releases)) 111 | 112 | ```Console 113 | > pip install frida-tools 114 | > frida --version 115 | 16.0.11 116 | ``` 117 | 118 | It is useful to add the `frida-tools` to the path on the system environment variables: 119 | 120 | - on Windows go to: `Control Panel > System > Advanced System Settings > Environment Variables`. Then add the parent folder in which Frida is installed: `C:\Users\\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\Scripts\` (adapt accordingly to your Python version) 121 | - on Linux do: 122 | ```Console 123 | user@linux:~$ export $PATH:$HOME/.local/bin 124 | ``` 125 | 126 | ### Install Frida on Android 127 | 128 | To install Frida on Android, the device must be rooted first. For this tutorial we are going to use an Android Virtual Device (AVD) running Android 11 (API version 30). 129 | 130 | > ***NOTE*** 131 | > 132 | > Make sure `frida` already supports the Android version you're using. 133 | 134 | Download the `frida-server` from [Frida’s GitHub releases](https://github.com/frida/frida/releases) page that **matches both**: 135 | 136 | - The CPU architectutre of your Android device. If you are not sure check it by doing `adb shell` followed by `uname -m`; 137 | - and the `frida` (client) version running on the desktop. If you are not sure check it by doing `frida --version`. 138 | 139 | Then uncompress it with [**7zip**](https://www.7-zip.org/download.html), or on the Linux command line: 140 | 141 | ```Console 142 | user@linux:~$ unxz frida-server-16.0.11-android-x86_64.xz 143 | ``` 144 | 145 | > ***NOTE*** 146 | > 147 | > Be aware that your emulator might be `x86` (32 bits) instead of the `x86_64` (64 bits) that is used in this tutorial. 148 | > 149 | > If your are using a physical Android device, the CPU architecture could be `armv8l`, 150 | > in that case you should download the `arm64` version of the `frida-server`. 151 | 152 | Now, make sure your Android device is connected, copy `frida-server` to your device and run it as root, as shown here: 153 | 154 | ```Console 155 | > adb devices 156 | List of devices attached 157 | emulator-5554 device 158 | > adb push ./frida-server-16.0.11-android-x86_64 /sdcard/Download/ 159 | ./frida-server-16.0.11-android-x86_64/: 1 file pushed. 99.8 MB/s (41358640 bytes in 0.395s) 160 | > adb shell 161 | generic_x86_64_arm64:/ $ su 162 | generic_x86_64_arm64:/ # cd /data/local/tmp 163 | generic_x86_64_arm64:/data/local/tmp # cp /sdcard/Download/frida-server-16.0.11-android-x86_64 . 164 | generic_x86_64_arm64:/data/local/tmp # chmod +x frida-server-16.0.11-android-x86_64 165 | generic_x86_64_arm64:/data/local/tmp # ./frida-server-16.0.11-android-x86_64 & 166 | [1] 6268 167 | ``` 168 | 169 | Open a new terminal and test if Frida is running: 170 | 171 | ```Console 172 | > frida-ps -Uai 173 | PID Name Identifier 174 | 4 ----------------------- --------------------------------------- 175 | 1614 Google com.google.android.googlequicksearchbox 176 | 5405 HTTP Toolkit tech.httptoolkit.android.v1 177 | 2605 Messages com.google.android.apps.messaging 178 | 4230 Phone com.android.dialer 179 | 3037 Photos com.google.android.apps.photos 180 | 4493 Settings com.android.settings 181 | 4698 YouTube com.google.android.youtube 182 | ... 183 | ``` 184 | 185 | > ***NOTE*** 186 | > 187 | > If you need to terminate `frida-server` do (replace `8888` to the actual PID): 188 | > 189 | > ```Console 190 | > > adb shell 191 | > generic_x86_64_arm64:/ $ su 192 | > generic_x86_64_arm64:/ # ps -e | grep frida-server 193 | > root 8888 5811 10874320 119644 do_sys_poll 0 S frida-server-16.0.11-android-x86_64 194 | > generic_x86_64_arm64:/ # kill -9 8888 195 | > ``` 196 | 197 | ### Intercept networt traffic from APPS with certificate pinning 198 | 199 | Download the latest version of [pinning-demo.apk](https://github.com/httptoolkit/android-ssl-pinning-demo/releases/), presently v1.3.0. This app has several buttons, each with a different implementation of certificate pinning mechanism. Install it on Android emulator: 200 | 201 | ```Console 202 | > adb install pinning-demo.apk 203 | Performing Streamed Install 204 | Success 205 | ``` 206 | 207 | With the `HTTP Tollkit` still running, open the `SSL Pinning Demo` app and press all the buttons: 208 | 209 | ![](imgs/ssl-pinning-demo-red.png) 210 | 211 | You'll see 5 of 6 buttons in red, because the app was able to detect a different digital certificate from the one it was expecting. Now, lets use `frida` bypass `SSL Pinning Demo` certificate pinning. 212 | 213 | 1. The first step is to identify the package name: 214 | ```Console 215 | user@linux:~$ frida-ps -aiU | grep pinning 216 | 6491 SSL Pinning Demo tech.httptoolkit.pinning_demo 217 | ``` 218 | 219 | 2. Then apply the `javascript` that enables to bypass certificate pinning with Frida. In the computer run: 220 | 221 | ```Console 222 | > frida -U --codeshare akabe1/frida-multiple-unpinning -f 223 | ``` 224 | 225 | For the `SSL Pinning Demo` app: 226 | 227 | ```Console 228 | > frida -U --codeshare akabe1/frida-multiple-unpinning -f tech.httptoolkit.pinning_demo 229 | ____ 230 | / _ | Frida 16.0.11 - A world-class dynamic instrumentation toolkit 231 | | (_| | 232 | > _ | Commands: 233 | /_/ |_| help -> Displays the help system 234 | . . . . object? -> Display information about 'object' 235 | . . . . exit/quit -> Exit 236 | . . . . 237 | . . . . More info at https://frida.re/docs/home/ 238 | . . . . 239 | . . . . Connected to Android Emulator 5554 (id=emulator-5554) 240 | Spawned `tech.httptoolkit.pinning_demo`. Resuming main thread! 241 | [Android Emulator 5554::tech.httptoolkit.pinning_demo ]-> 242 | ====== 243 | [#] Android Bypass for various Certificate Pinning methods [#] 244 | ====== 245 | [-] OkHTTPv3 {2} pinner not found 246 | ... 247 | ``` 248 | 249 | 3. Now press all the buttons again. If everything is working as expected, you should now be able to get 5 (of 6) green buttons: 250 | 251 | ![](imgs/ssl-pinning-demo-greenv2.png) 252 | 253 | 254 | > ***NOTE*** 255 | > 256 | > Frida is able to avoid certificate pinning from many Android apps, **but not all of them**. 257 | > For example, Tiktok is known to have implemented some technics against Frida and other similar tools. 258 | > 259 | > If the certificate pinning bypass is not working for your mobile app, try: 260 | > 261 | > - with an older version of the app itself, 262 | > - or, use an older version of Android, 263 | > - or both an older version of the app and older version of Android. 264 | 265 | 266 | ### Injecting our code 267 | 268 | At this point, the "Manually Pinned Request" is still red because the app developer hard-coded the hash value of the server digital certificate. However, we can create and inject our code into the app to change its behaviour. However, we can create and inject our code into the app to change its behaviour. To this end, we need to know its source code, which is available [where](https://github.com/httptoolkit/android-ssl-pinning-demo/blob/main/app/src/main/java/tech/httptoolkit/pinning_demo/MainActivity.kt). 269 | 270 | On line `32` we have the hash value of *Let's Encrypt* digital certificate. Let's Encrypt is the CA that signed the website digital certificate to which the app connects: 271 | 272 | ```kotlin 273 | const val LETS_ENCRYPT_ROOT_SHA256 = "NgJeUutmfGsIONh0XaovCA5VJ05uv2gCb27pUOpTPxU=" 274 | ``` 275 | 276 | 277 | On line `221` we have the function responsible for the manual certificate pinning: 278 | 279 | ```kotlin 280 | fun sendManuallyCustomPinned(view: View) { 281 | ``` 282 | 283 | Then, on line `242`we have a call to compare the hash values of the digital certificates: 284 | ```kotlin 285 | if (!certs.any { cert -> doesCertMatchPin(LETS_ENCRYPT_ROOT_SHA256, cert) }) { 286 | ``` 287 | 288 | The code of the `doesCertMatchPin()` function is: 289 | ```kotlin 290 | private fun doesCertMatchPin(pin: String, cert: Certificate): Boolean { 291 | val certHash = cert.publicKey.encoded.toByteString().sha256() 292 | return certHash == pin.decodeBase64() 293 | } 294 | ``` 295 | 296 | We aim to change the function `doesCertMatchPin()` to ensure it will always return `true`. This way, we can get the last button green while still being able to intercept the network connection. 297 | 298 | First create the file `manual.js` then copy/paste the following javascript code: 299 | 300 | ```javascript 301 | Java.perform(function() { 302 | Java.use("tech.httptoolkit.pinning_demo.MainActivity").doesCertMatchPin.implementation = function(s,t) { 303 | console.log("Manual pinning surpassed " + s + t); 304 | return true; 305 | } 306 | }); 307 | ``` 308 | 309 | Explanation of the code: 310 | 311 | - `tech.httptoolkit.pinning_demo` is the name of the app 312 | - `MainActivity` is the name of the activity where our function is executed 313 | - `doesCertMatchPin.implementation` replace the code of function `doesCertMatchPin` by this code: 314 | ```kotlin 315 | function(s,t) { 316 | console.log("Manual pinning surpassed " + s + t); 317 | return true; 318 | } 319 | ``` 320 | - `s,t` are input variables, in this case `LETS_ENCRYPT_ROOT_SHA256, cert` 321 | - `console.log(...)` print to Frida console 322 | - `return true;` always return true 323 | 324 | 325 | Now, let's inject our code into the app by adding `-l manual.js` to the `frida` command: 326 | 327 | ```Bash 328 | frida -U --codeshare akabe1/frida-multiple-unpinning -l manual.js -f tech.httptoolkit.pinning_demo 329 | ``` 330 | 331 | This should be the result: 332 | 333 | ![](imgs/ssl-pinning-demo-all-green.png) 334 | 335 | 336 | ## Exercises 337 | 338 | ### Exercise 1 339 | 340 | 1. apply the `frida` script to the Google Chrome browser 341 | 2. access to `https://ead.ipleiria.pt` 342 | - then, on the login page type: 343 | - for the username: `Asdrubal` 344 | - for the password: `loves AFD2!!` 345 | 3. go to the HTTP Toolkit interface on your computer and find the packet that contains the username and password. 346 | 347 | ### Exercise 2 (Optional) 348 | 349 | Execute the following tutorials: 350 | 351 | 352 | - [Solving OWASP UnCrackable Android App Level 1 with Runtime Mobile Security (RMS)](https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security) 353 | - [Solving OWASP MSTG UnCrackable App for Android Level 1](https://nibarius.github.io/learning-frida/2020/05/16/uncrackable1) 354 | - [Solving OWASP MSTG UnCrackable App for Android Level 2](https://nibarius.github.io/learning-frida/2020/05/23/uncrackable2) 355 | - [Solving OWASP MSTG UnCrackable App for Android Level 3](https://nibarius.github.io/learning-frida/2020/06/05/uncrackable3) 356 | 357 | 358 | ## Recommended reading 359 | 360 | - [Intercepting Android Emulator TLS traffic with magisk](https://infosecwriteups.com/intercepting-android-emulator-ssl-traffic-with-burp-using-magisk-bc948dca68f9) 361 | - this tutorial teachs how to root an Android emulator in order to install any CA digital certificate as `system trusted`, required for Android 11 362 | - [Introduction to the Mobile Security Testing Guide](https://mobile-security.gitbook.io/mobile-security-testing-guide/overview/0x03-overview) 363 | -------------------------------------------------------------------------------- /_config.yml: -------------------------------------------------------------------------------- 1 | theme: jekyll-theme-cayman -------------------------------------------------------------------------------- /imgs/AVD1-wifi-edit.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LabCIF-Tutorials/Tutorial-AndroidNetworkInterception/b998b074b286fef8627f9704b4683354e6ce6ae0/imgs/AVD1-wifi-edit.png -------------------------------------------------------------------------------- /imgs/AVD2-wifi-advanced.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LabCIF-Tutorials/Tutorial-AndroidNetworkInterception/b998b074b286fef8627f9704b4683354e6ce6ae0/imgs/AVD2-wifi-advanced.png -------------------------------------------------------------------------------- /imgs/AVD3-wifi-proxy-manual.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LabCIF-Tutorials/Tutorial-AndroidNetworkInterception/b998b074b286fef8627f9704b4683354e6ce6ae0/imgs/AVD3-wifi-proxy-manual.png -------------------------------------------------------------------------------- /imgs/AVD4-wifi-proxy-config.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LabCIF-Tutorials/Tutorial-AndroidNetworkInterception/b998b074b286fef8627f9704b4683354e6ce6ae0/imgs/AVD4-wifi-proxy-config.png -------------------------------------------------------------------------------- /imgs/AVD_httptoolkit.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LabCIF-Tutorials/Tutorial-AndroidNetworkInterception/b998b074b286fef8627f9704b4683354e6ce6ae0/imgs/AVD_httptoolkit.png -------------------------------------------------------------------------------- /imgs/AVD_trusted_ca.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LabCIF-Tutorials/Tutorial-AndroidNetworkInterception/b998b074b286fef8627f9704b4683354e6ce6ae0/imgs/AVD_trusted_ca.png -------------------------------------------------------------------------------- /imgs/httptoolkit-chrome.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LabCIF-Tutorials/Tutorial-AndroidNetworkInterception/b998b074b286fef8627f9704b4683354e6ce6ae0/imgs/httptoolkit-chrome.png -------------------------------------------------------------------------------- /imgs/httptoolkit-view.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LabCIF-Tutorials/Tutorial-AndroidNetworkInterception/b998b074b286fef8627f9704b4683354e6ce6ae0/imgs/httptoolkit-view.png -------------------------------------------------------------------------------- /imgs/httptoolkit.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LabCIF-Tutorials/Tutorial-AndroidNetworkInterception/b998b074b286fef8627f9704b4683354e6ce6ae0/imgs/httptoolkit.png -------------------------------------------------------------------------------- /imgs/packetcapture1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LabCIF-Tutorials/Tutorial-AndroidNetworkInterception/b998b074b286fef8627f9704b4683354e6ce6ae0/imgs/packetcapture1.png -------------------------------------------------------------------------------- /imgs/packetcapture2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LabCIF-Tutorials/Tutorial-AndroidNetworkInterception/b998b074b286fef8627f9704b4683354e6ce6ae0/imgs/packetcapture2.png -------------------------------------------------------------------------------- /imgs/ssl-pinning-demo-all-green.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LabCIF-Tutorials/Tutorial-AndroidNetworkInterception/b998b074b286fef8627f9704b4683354e6ce6ae0/imgs/ssl-pinning-demo-all-green.png -------------------------------------------------------------------------------- /imgs/ssl-pinning-demo-green.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LabCIF-Tutorials/Tutorial-AndroidNetworkInterception/b998b074b286fef8627f9704b4683354e6ce6ae0/imgs/ssl-pinning-demo-green.png -------------------------------------------------------------------------------- /imgs/ssl-pinning-demo-greenv2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LabCIF-Tutorials/Tutorial-AndroidNetworkInterception/b998b074b286fef8627f9704b4683354e6ce6ae0/imgs/ssl-pinning-demo-greenv2.png -------------------------------------------------------------------------------- /imgs/ssl-pinning-demo-red.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LabCIF-Tutorials/Tutorial-AndroidNetworkInterception/b998b074b286fef8627f9704b4683354e6ce6ae0/imgs/ssl-pinning-demo-red.png -------------------------------------------------------------------------------- /temp.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Digital Certificates 4 | 5 | To intercept TLS traffic we need to tell our device to trust the proxy's digital certificate. 6 | The Packet Capture's included feature to install the digital certificate does not always work. 7 | So, we're going to create one with `openssl`: 8 | 9 | ```console 10 | user@linux:~$ openssl req -x509 -newkey rsa:4096 -keyout key-private.pem -out key-public.pem -days 3650 11 | user@linux:~$ openssl pkcs12 -export -out keyBundle.p12 -inkey key-private.pem -in key-public.pem -name "alias" 12 | ``` 13 | 14 | > ***NOTE*** 15 | > 16 | > When asked to provide an export password don't leave it empty, because some devices don't import `p12` files without a password. Chose whatever password you want, like `1234`. 17 | 18 | Now copy the `keyBundle.p12` file to your device: 19 | 20 | ```console 21 | user@linux:~$ adb push keyBundle.p12 /sdcard/Download 22 | keyBundle.p12: 1 file pushed. 0.3 MB/s (4208 bytes in 0.012s) 23 | ``` 24 | 25 | Now install the CA digital certificate on your device. The menu path to do is not the same in all devices: 26 | 27 | - AVD (API30): Settings -> Security -> Advanced -> Encryption & Credentials -> Install a certificate -> VPN & app user certificate -> Select file 28 | - Samsung: Settings -> Biometrics and security -> Other security settings -> Install from device storage -> Select file 29 | 30 | 31 | ## Configuration -- Using a fake VPN on Android 32 | 33 | Open Packet Capture, then, goto `settings -> Certificate` and select `keyBundle.p12`. 34 | 35 | 36 | ## Configuration -- Using a proxy on a computer (optional) 37 | 38 | Another option is to use `mitmproxy`, but in order to do that 39 | 40 | ### On the computer 41 | 42 | Install [PolarProxy](https://www.netresec.com/?page=PolarProxy)and Wireshark on the computer. Then run the proxy this way: 43 | 44 | 45 | ```Console 46 | user@linux:~$ ./PolarProxy --certhttp 8088 --httpconnect 8866 -w - | wireshark -k -i - 47 | <6>Starting PolarProxy 0.9.0.0 48 | <6>[8080] HTTP CONNECT proxy listening on: 0.0.0.0:8080 49 | ... 50 | ``` 51 | 52 | On a browser type `localhost:8088` to download PolarProxy's digital certificate. Then install it as explained above. The next section describes the Android configuration to use a proxy. 53 | 54 | ### On the Android device 55 | 56 | In case you wanto to try the proxy on a computer your Android device must have the proxy enabled, here's a summary (for step by step instructions [read this tutorial](https://docs.telerik.com/fiddler-everywhere/get-started/mobile-traffic/configure-android#configure-android-device)): 57 | 58 | ![Edit Wifi](imgs/AVD1-wifi-edit.png) 59 | 60 | ![Advanced settings](imgs/AVD2-wifi-advanced.png) 61 | 62 | ![Manual proxy](imgs/AVD3-wifi-proxy-manual.png) 63 | 64 | ![Proxy settings](imgs/AVD4-wifi-proxy-config.png) 65 | 66 | > ***NOTE 1*** 67 | > 68 | > If you have a firewall running on your computer make sure you allow traffic to the proxy, _specially if you are using a physical Android device_. 69 | 70 | > ***NOTE 2*** 71 | > 72 | > If you are using a physical Android device, after you configure the proxy the device may display a message similar to "Connected, but without Internet connection" and show also a `!` next to the Wifi symbol. 73 | > To remove this message and the `!` do: 74 | > 75 | > ```Console 76 | > user@linux:AFD2$ adb shell 77 | > a40:/ $ su 78 | > a40:/ # settings put global captive_portal_detection_enabled 0 79 | > ``` 80 | 81 | Now run `frida` as shown previously and you should start to see packets in Wireshark. 82 | --------------------------------------------------------------------------------