Inspecting applications traffic for fun and profit

Running HTTP Toolkit to intercept an application download from Play Store 


DISCLAIMER this post has been made for accademic and learning purposes, no harm or any disclosure is intended as all this information is already of public domain


Hi there 👋

Its been a while since i posted something that i recall usefull for others so this might be the right time to do it


Recently i restarted to inspect all my mobile apps for the sake of curisity and "safety" as many mobile apps we tend to install with a tap of a button might contain some unwanted tracking features

In this small technicall guide i will walkthrough on how to inspect Android applications traffic with little to none effort (this will exclude some particular applications that we may cover in future posts - a.k.a. certificate pinned applications)

For the most of the standard applications this guide will work, for more secure ones as stated above it won't work as requires more effort (as secure apps i mean such as banking, authentication apps etc..)

Let's get our hands dirty, in order to proceed check the following requirements to start with downloading the following tools/software:

1) Android Studio (with Android Virtual Device)

2) HTTP Toolkit

3) rootAVD


 In my specific case i tested those tools in a Windows Desktop


Let's go deep step by step:

1) Proceed to install the Android Studio software and as soon as the installation is completed create an AVD so we can emulate a clean Android installation to make it seem a real "phone" in our desktop


To create an AVD open Android Studio and proceed on More ActionsVirtual Device Manager



From there you can go on Create Device > Phone > Pixel 4 (Play Store) > Tiramisu (Android 13.0 Google Play)

 After you go Next and Finish it will take time to download the image based on your connection (images have different sizes 1-2G+)

I specifically chose the version with GApps installed in order to be able to install other applications from the Play Store

Now to start your AVD just press the "play" button inside the Device Manager


2) Now that you have your device set to go proceed to install HTTP Toolkit - should be a straight forward installer and after that you should have your software ready

Open HTTP Toolkit and press Android Device via ADB

With this fuction your recently created AVD will be attached via ADB console and follow the manual steps required to add certificates on the AVD and enable VPN permissions




Now you are required to set a Screen lock pin, just for the sake of speed set a PIN with 4 digits (but remember it as will be required to login and save certificates)


Now go on  More Security settings and Encryption Credentials > Install a Certificate -> WIFI Certificate -> Select HTTP Toolkit certificate file


Do the same for Install a Certificate -> CA Certificate


Now if you exit from the settings with your AVD you will see this:

This is correct as we still need an extra step to have a system wide interception

3) You will need to download rootAVD git repository if you didn't do it yet then you will need to execute the following commands in the extracted repository:

rootAVD.bat ListAllAVDs
rootAVD.bat EnvFixTask
rootAVD.bat InstallApps
#this env set command might be required 
set PATH=%LOCALAPPDATA%\Android\Sdk\platform-tools;%PATH% 
rootAVD.bat %LOCALAPPDATA%\Android\Sdk\system-images\android-31\google_apis_playstore\x86_64\ramdisk.img

Those commands can vary based on the android image that could change directory path, the command

rootAVD.bat ListAllAVDs

This command will help you find the correct path, if you still have doubts there is more information inside the git repo also this small gif explaining the steps

 The output of the last command should end with something like this:





Now if you open your AVD you should see this in the HTTP Toolkit page (If doesn't appear, close HTTP Toolkit and reopen it then press again Android Device via ADB) :




Now you are good to go to intercept your virtual phone applications, here below we will do an example


 Exercise, download an application from Play store and start it while HTTP Toolkit is intercepting

e.g. in this case i downloaded Reddit is fun application which is a viewer for Reddit

As you can see after opening the application and refreshing a tab you will see on the right all the HTTPS calls made by that to the Reddit APIs

Here below you can find some notes to future me on what i already tried:

- Using MITM Proxy is working like HTTP Toolkit but is much "harder" to setup with many Android emulators

- Emulators tested but not so easy to setup are RD Player, Bluestack, Android VMs on Virtual Box as they do not expose always directly ADB

- In case certificates are not installed easily root the AVD then install them via a Certificate installer from Play Store

- Certificate pinned applications such as Twitter (also some other social media), banking, secure apps require extra steps to override the pinned certificate and let the application use the system CA