Inspecting applications traffic for fun and profit

By






Running HTTP Toolkit to intercept an application download from Play Store 

 

DISCLAIMER this post has been made for accademic and learning purposes, no harm or any disclosure is intended as all this information is already of public domain

 


Hi there 👋

Its been a while since i posted something that i recall usefull for others so this might be the right time to do it

 

Recently i restarted to inspect all my mobile apps for the sake of curisity and "safety" as many mobile apps we tend to install with a tap of a button might contain some unwanted tracking features


In this small technicall guide i will walkthrough on how to inspect Android applications traffic with little to none effort (this will exclude some particular applications that we may cover in future posts - a.k.a. certificate pinned applications)


For the most of the standard applications this guide will work, for more secure ones as stated above it won't work as requires more effort (as secure apps i mean such as banking, authentication apps etc..)


Let's get our hands dirty, in order to proceed check the following requirements to start with downloading the following tools/software:

1) Android Studio (with Android Virtual Device)

2) HTTP Toolkit

3) rootAVD

 

 In my specific case i tested those tools in a Windows Desktop

 

Let's go deep step by step:

1) Proceed to install the Android Studio software and as soon as the installation is completed create an AVD so we can emulate a clean Android installation to make it seem a real "phone" in our desktop

 

To create an AVD open Android Studio and proceed on More ActionsVirtual Device Manager

 


 

From there you can go on Create Device > Phone > Pixel 4 (Play Store) > Tiramisu (Android 13.0 Google Play)

 After you go Next and Finish it will take time to download the image based on your connection (images have different sizes 1-2G+)

I specifically chose the version with GApps installed in order to be able to install other applications from the Play Store


Now to start your AVD just press the "play" button inside the Device Manager

 





2) Now that you have your device set to go proceed to install HTTP Toolkit - should be a straight forward installer and after that you should have your software ready


Open HTTP Toolkit and press Android Device via ADB

With this fuction your recently created AVD will be attached via ADB console and follow the manual steps required to add certificates on the AVD and enable VPN permissions

 


 

 


Now you are required to set a Screen lock pin, just for the sake of speed set a PIN with 4 digits (but remember it as will be required to login and save certificates)

 

Now go on  More Security settings and Encryption Credentials > Install a Certificate -> WIFI Certificate -> Select HTTP Toolkit certificate file

 

Do the same for Install a Certificate -> CA Certificate

 

Now if you exit from the settings with your AVD you will see this:




This is correct as we still need an extra step to have a system wide interception


3) You will need to download rootAVD git repository if you didn't do it yet then you will need to execute the following commands in the extracted repository:


rootAVD.bat
rootAVD.bat ListAllAVDs
rootAVD.bat EnvFixTask
rootAVD.bat InstallApps
#this env set command might be required 
set PATH=%LOCALAPPDATA%\Android\Sdk\platform-tools;%PATH% 
rootAVD.bat %LOCALAPPDATA%\Android\Sdk\system-images\android-31\google_apis_playstore\x86_64\ramdisk.img


Those commands can vary based on the android image that could change directory path, the command 

rootAVD.bat ListAllAVDs

This command will help you find the correct path, if you still have doubts there is more information inside the git repo README.md also this small gif explaining the steps


 The output of the last command should end with something like this:

 


 

 

 

Now if you open your AVD you should see this in the HTTP Toolkit page (If doesn't appear, close HTTP Toolkit and reopen it then press again Android Device via ADB) :

 

 





 


Now you are good to go to intercept your virtual phone applications, here below we will do an example

 

 Exercise, download an application from Play store and start it while HTTP Toolkit is intercepting

e.g. in this case i downloaded Reddit is fun application which is a viewer for Reddit


As you can see after opening the application and refreshing a tab you will see on the right all the HTTPS calls made by that to the Reddit APIs






Here below you can find some notes to future me on what i already tried:

- Using MITM Proxy is working like HTTP Toolkit but is much "harder" to setup with many Android emulators

- Emulators tested but not so easy to setup are RD Player, Bluestack, Android VMs on Virtual Box as they do not expose always directly ADB

- In case certificates are not installed easily root the AVD then install them via a Certificate installer from Play Store

- Certificate pinned applications such as Twitter (also some other social media), banking, secure apps require extra steps to override the pinned certificate and let the application use the system CA

 

 





Comments

Post a Comment