Monitor network requests and responses in production-built Android app
How do mobile developers and QA know what is going wrong with their app when testing it on a real device? Or do you want to reverse engineer the backend inside an app? This should be a good article for you to read.
Mobile developers or QA often encounter bugs in their apps when testing on real devices. It could be a bug in the app, or an external part such as the libraries, network requests, etc.
A guy who wants to reverse engineer a mobile app might have to know what network requests the app makes, what the payload is, what the response is, and where the information is obtained by the app.
So, how can we do that?
One thing that might be on your mind is using an HTTP Proxy. HTTP Proxy makes it possible to inspect the network requests that come in and forward them. I’m using mitmproxy for this. To start the proxy server, just run mitmweb , and it will launch a proxy server and a website to monitor the requests.
To use HTTP Proxy in an Android device, you have to go to Wi-Fi settings and configure a manual proxy. Enter your proxy server (your laptop) IP address, 8080for the default port.
The problem is that nowadays, HTTPS is a must. If you try to use HTTP Proxy without HTTPS support, I can guarantee you can’t do much with it. Most HTTP proxy tools already come with HTTPS support. But here comes another problem. Your HTTP Proxy CA Certificate is self-generated, so your Android device will not trust it.
To trust a custom CA certificate, you can easily go to Android settings -> security & privacy -> more security & privacy -> encryption & credentials. These settings may be different depending on your Android model and version. After you find the settings page for encryption and credentials, you will see an option to ‘Install a certificate’. Just click it, navigate to your custom certificate, and install it.
After you trust your HTTP proxy CA certificate, you can try it again to inspect your network requests and monitor it in your HTTP proxy tools. Do you see something wrong? Check your terminal outputs. If it’s displaying something like The client does not trust the proxy's certificate for API xxx.com in yellow (warning level), then you need additional steps to get rid of that. Android 7.0 and above will likely get this warning because the default behavior of the Android app is only trust system-provided certificates. See this link.
So, how do you trust the user certificate (your mitmproxy certificate)? Re-compile your Android app with a new addition in the Android manifest to trust user certificates.
First, you need java and apktool to help you decompile the app. Run this command apktool d path/to/apk -o output_dir
Open the decompiled app in your favorite editor and go to AndroidManifest.xml, find the <application> tag.
You need to add the android:networkSecurityConfig attribute if it doesn’t exist. If it exists, open the config file located in directory res/{the value of networkSecurityConfig}.xml. If it’s not, create a file in the directory res/xml with the name is network_security_config.xml.
Paste the XML code below to the file. The code tells the app to trust user certificates and disable certificate pinning.
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config>
<trust-anchors>
<certificates src="system" />
<certificates src="user" overridePins="true" />
</trust-anchors>
</base-config>
</network-security-config>Now, you can rebuild your app by running this command apktool build path/to/decompiled. Apktool will write an apk file defaults to dist/app_name.apk. After rebuilding the apk, you have to sign it. I’m using uber-apk-signer (make sure you have java installed). Run this command to sign your apk java -jar uber-apk-signer --apks path/to/apk. Then, install the signed app on your phone, open it, and check your mitmproxy. Congrats, you should be able to inspect the network now.
