Inspecting Android Traffic using Proxyman + apk-mitm
Hi everyone! Still with me to share some experience, thought, or opinion about technology-related with the software engineering field. In this article, I want to share about my experience inspecting network request from mobile application, especially for Android platform!
If we are talking on web app, inspecting the network request to the server is quite easy. For Chrome or Firefox, just go to developer tools and see the network tab. We can monitor the request type like Method, URL, Headers, Body and the response as well.
But, how if we want to do the same on mobile device? Because for mobile browser, we don’t have any options similar with developer tools. Also, it’s impossible when we want to see the network for mobile application.
The answer is we can use tool such as Proxy to help us capturing the network between device and server. This method called Man-In-The-Middle, because we put proxy in the middle connection. For more pictures, see the diagram below.
There are bunch of Proxy services for the example:
- Proxyman (https://proxyman.io)
- mitmproxy (https://mitmproxy.org)
- Charles (https://www.charlesproxy.com)
I personally will go with Proxyman, because I am Mac users and it’s GUI based. If you more into CLI based, you can try with mitmproxy. Both of them isn’t your favourite? Maybe you can use another proxy that suitable for you. Just google about it. Here is some look of the proxy that I mentioned.
After finished the installation and running the Proxyman, we will getting listening port. Don’t worry if the default port is conflicted with the existing port on your system. We can easily change to another one. Here is the picture how’s Proxyman running and getting a listening port.
Afterward, the next step is configuration on Android phone. If we don’t have any Android phone, we can use Emulator like Genymotion (https://www.genymotion.com).
Make sure the network between phone and proxy server is on same network. Go to SSID config, choose manual proxy and add proxy hostname + port as proxy information.
Done with proxy config, we need to setup SSL for the Android phone. Because I am using Proxyman, we need to open http://proxy.man/ssl URL and download the certificate. In real Android phone, just opened the certificate and follow the installation. But for emulator case, the step is a little bit different. We need to install from Settings -> Security -> Install from SD card.
Try to capture the network by opening a website using mobile browser. In this case, I am trying to capture network request for yahoo website. As we can see the picture below, the network will be captured and if we need to see the response, we need to click “Enable only this domain” and try to apply the same request. See the Picture 4 & 5 for the detail.
If capturing the network in browser seems doesn’t have any problems, how about mobile application? Well, I am trying with simple app for Currency information. And like “Picture 6”, it is still working!
Real Device Issue
The previous step conducted on Genymotion. How if using real device? Because it’s more comfortable to do in real device compared with emulator. But, seems the real device have an issue about SSL Handshake Failed. Picture 7 show how the network become red due to some error.
What we can do to solve the problem about SSL Handshake Failed on real device? One of the solution maybe using this tool called apk-mitm (https://github.com/shroudedcode/apk-mitm)
What is apk-mitm? From their official github site:
A CLI application that automatically prepares Android APK files for HTTPS inspection
apk-mitm automates the entire process. All you have to do is give it an APK file and
- decode the APK file using Apktool
- modify the app’s
AndroidManifest.xmlto make it
- replace the app’s Network Security Configuration to allow user-added certificates
return-voidopcodes to disable certificate pinning logic
- encode the patched APK file using Apktool
- sign the patched APK file using uber-apk-signer
As we can see the description above, we need raw APK. We can get it from APKPure or similar site or export using SAI. Then we just need run this installation + executing command and the entire process will be like on Picture 8.
$ npm install -g apk-mitm
$ npx apk-mitm <path-to-apk>
After installation the patched APK has been finished, try to open the application and see the captured request. Voila! The request from patched APK has no issue about SSL Handshake Failed!
Certificate Pinning Issue
Unfortunately, in my case I have an issue regarding application that implemented Certificate Pinning. If it’s your first time heard about it, you can refer the detail here. Although apk-mitm said they have logic to disable Certificate Pinning, it doesn’t works for me. The error about “SSL Handshake Failed” still occur on Proxyman console.
Summary for this experiment can be listed on the points below:
- Proxyman works well for capturing both browser and application network request for Android (Genymotion).
- Capturing network application on real Android device need extra treatment using
- Proxyman works well for capturing both browser and application network request for iOS (Real Device). I am not shared the detail for iOS due to the topic area, but I’ve been try it.
- Android application which implemented Certificate Pinning may fail due to SSL Handshake Fail although we are using the patched APK.
I hope this article useful and see you on another topic! Thank you!