Reputation: 2912
debugging https from android emulator
I have an android(4.2) app that uses the https to talk to the webservice. I want to debug/log every https that goes out. I have fiddler and wireshark to debug them, but everything looks encrypted. can a man-in-middle attack be setup with emulator and fiddler/wireshark to decode and display the http url and its params?
Upvotes: 6
Views: 6310
Answers (4)
Reputation: 68915
Yes you can just use Fiddler to do so. You need to enable "Decrypt HTTPs traffic" option in Tools -> Options. Fiddler provides a CA cert for SSL communication. All you have to do is install the same on your Android device. You can get the cert by going to the following URL from the browser
http://machinesIPAddress:8888/FiddlerRoot.cer
where machinesIPAddress is the address of the machine where fiddler is running. After installing you can see the same under
Settings -> Security -> Trusted Credentials -> User Tab
I have listed down the entire procedure with screenshots. Hope that helps -
Intercepting Android network calls using Fiddler Web Proxy
Upvotes: 0
Reputation: 26771
The easiest option I've found is using mitmproxy. Simple steps laid out here:
Upvotes: 1
Reputation: 16054
I once had that very same need.
Good explanation can be found here: https://security.stackexchange.com/questions/8145/does-https-prevent-man-in-the-middle-attacks-by-proxy-server
Turns out some companies do that especially in case of mobile browsers (Opera, Nokia) - to save bandwidth they pass all the traffic through their own proxy server and compress it. What is interesting is that they also work with HTTPS-enabled sites. They install their (somewhat fake) certificate in your local trusted store and the proxy returns the compressed response signed with that fake certificate for the browser to not complain against a potential attack.
I haven't found any tool that would help in creating such a proxy so in the end (since I was in control of the webservice and the server it was running on) I enabled pure HTTP during development. That probably saved me hours of work ;)
Upvotes: 0
Reputation: 52936
You can use a MITM proxy, such as Burp. Once you install the CA certificate as trusted on the device/emulator, you will be able to decrypt SSL traffic.
Also, if you have the server private key (i.e., it is your own server), you can decrypt traffic intercepted with Wireshark if really need low-level info.
Upvotes: 2
Related Questions
- Some androids apps won't connect through fiddler
- Sniffing Android Application HTTPS Traffic
- Can not use Fiddler proxy with Android Emulator
- Sniffing SSL packets using Wireshark
- SSL Handshake aborted in Android Emulator
- How to sniff HTTPS traffic from Android emulator to remote server ?
- How to capture HTTPS(TLS 1.0) communications from Android App with Fiddler4?
- Debugging HTTPS requests/responses with Fiddler on Android Phone don`t work
- Android Emulator appears not to trust Security Certificates in Browser
- Debugging HTTPS traffic with Fiddler on Windows Phone Emulator