Posted January 26, 20169 yr I'm trying to sniff all traffic coming from my android phone (rooted), especially https, but I haven't found a way yet. I assume the apk I'm primarily interested in, uses certificate pinning. Can anyone recommend me a solution or provide some tipps? thanks in advanced
January 26, 20169 yr Hey, have you tried Burp Proxy? This is considered the most reliable solution. (Pro Version is out there somewhere) https://support.portswigger.net/customer/portal/articles/1841101-configuring-an-android-device-to-work-with-burp It's also possible to bypass certificate pinning using "TrustKiller" or "SSLUnpinning"https://github.com/iSECPartners/Android-SSL-TrustKiller https://github.com/ac-pm/SSLUnpinning_Xposed Or you could decompile the specific App and patch the certificate pinning function in it, sign it and upload it to your device. (Not recommended :-) )
January 27, 20169 yr I use burp proxy, it's very very easy and quick to setup. Takes less then 5 minutes. I use it for iphone and android.
January 27, 20169 yr You can test these APK. I made something similar in the past and use it: http://www.appbrain.com/app/shark-for-root/lv.n3o.shark http://www.kismetwireless.net/android-pcap/ The are a lot of alternatives sniffer apps if you want to do it directly on your smartphone or set up your PC as a wireless access point, then run wireshark on the PC. Here for example: http://lifehacker.com/5369381/turn-your-windows-7-pc-into-a-wireless-hotspot Hope it helps.
January 27, 20169 yr Author 22 hours ago, Zulu said: Hey, have you tried Burp Proxy? This is considered the most reliable solution. (Pro Version is out there somewhere) https://support.portswigger.net/customer/portal/articles/1841101-configuring-an-android-device-to-work-with-burp It's also possible to bypass certificate pinning using "TrustKiller" or "SSLUnpinning"https://github.com/iSECPartners/Android-SSL-TrustKiller https://github.com/ac-pm/SSLUnpinning_Xposed Or you could decompile the specific App and patch the certificate pinning function in it, sign it and upload it to your device. (Not recommended :-) ) i tried burp suite, however i'm not able to see any app traffic besies i installed the cert. propably due to the fact, that the wifi proxy only works for the browser so i tried to redirect the traffic using proxydroid, but not succesfull. on http it just goes through, with https mode it doesnt connect. i assume because of the untrusted cert. was that correct so far? now i only need to find a way to install xposed on my sm-g900f, any tipps for deodexing a stock rom without wiping any data? Edited January 27, 20169 yr by li0nsar3c00l
February 27, 20169 yr Currently i use fiddler2 and its work perfectly. Ref : http://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/ConfigureForAndroid
February 27, 20169 yr Author The problem occured due to certificate pinning. In general fiddldr or burp works fine
June 23, 20169 yr You can disable certificate pinning if your phone is rooted. I believe it was called SSL Trust Killer.
June 23, 20169 yr If it is something you are trying to intercept on an android phone, you could try and run an emulator in a virtual machine and intercept from outside it maybe? Memu is a nice emulator although there is more.. then run wireshark on the host of the virtual machine.. ( or debug what's going through the emulator.. has to be decrypted / encrypted somewhere ) Edited June 23, 20169 yr by Nemo
June 23, 20169 yr Exactly as Nemo suggested, using an emulator for intercepting ssl traffic may prove helpful. I have had success by installing the burp cert in the root ca store within emulator. For intercepting traffic some tutorials suggests to set a manual proxy. This may not work as not all apps respect the proxy settings. A better option is to use the -http-proxy command line arg while launching the emulator. For instance if burp is running on port 8080, you can use the following command. emulator -avd <avd name> -http-proxy 127.0.0.1:8080 Additionally, in newer versions of android (lollipop and above) you can use a reverse proxy. To intercept ssl traffic on port 443 you can do, adb reverse tcp:443 tcp:8080 Lastly since SSL works in a different way compared to normal HTTP traffic you may only see the ip addresses and not the hostnames in your interception proxy. This is particularly true in older versions of burp. To workaround this problem you can rewrite the DNS requests before it reaches burp. A tutorial on this method is available on this blog post.
June 30, 20169 yr For real-time capturing from real devices use rpcapd on Tomato based router. http://www.linksysinfo.org/index.php?threads/using-wireshark-with-tomato.34269/
August 17, 20169 yr If you use a Mac, you might want to have a look at Debookee for network traffic analysis of your devices (it does not decrypt HTTPS yet, but this might be supported later). If you want to view all HTTP/HTTPS traffic and modify any data sent/received, I can recommend Charles Web Debugging Proxy. Edited August 17, 20169 yr by Alain
Create an account or sign in to comment