Capture and analyze mobile traffic without Wi-Fi proxy.
Traffic analysis is a very important part of mobile application development and debugging, whether it is data mocking or malware analysis. Our most common method is to setup a Wi-Fi proxy on the mobile and proxy the traffic to the MITM server of the desktop apps, such as Charles and Fiddler.
But this is not an efficient way. Looking back at the entire step, we will find the following uncomfortable points.
- Wifi proxy can only be configured manually and needs to be changed back after debugging.
- Some application frameworks or network libraries do not respect system proxies, such as Flutter.
- When installing the root CA certificate, it is inconvenient to import the certificate to the mobile phone.
- Wi-Fi proxy is system global and cannot be applied to specific applications.
Therefore, I wrote this article to introduce you to a new mobile traffic analysis solution.
1. Preparation
We need to download an application called Reqable, which is a desktop and mobile application developed based on Flutter. Remember this is a prerequisite. The devices we need to operate at the same time are computers and mobile phones, so we need to install the Reqable application on both computers and mobile phones. Its unique multi-platform features can help us simplify the complexity of direct manipulation of multi-platform devices.
1.1 Desktop App
After the installation is complete, launch the Reqable desktop application. Click the phone icon to open the QR code page, as follows:
Next, let’s configure the mobile app.
1.2 Mobile App
After installation, launch the Reqable mobile app. Select Collaboration Mode and scan the QR code on the desktop in the previous step.
In this step, Reqable will automatically synchronize the root CA certificate from the desktop to the mobile app. The Reqable mobile app will remember the IP address and port of the remote device (desktop) and will automatically connect the next time it is started. If the IP address and port of the remote device change, yout can click the scan code icon in the drawer to scan again.
Note that although the CA certificate has been synchronized from the desktop to the mobile app, but there is still a most important step left: installing it on the device.
Next, we start installing the root certificate to the device, which is probably the most complicated step of the entire process. We cannot complete this step automatically and need to handle it manually according to the device conditions and usage scenarios.
Steps: Open Side Drawer -> Tap Certificate Management -> Install Root Certificate to Lcoal Machine.
For iOS, follow the in-app prompts. Download the description file, enter the system settings to install, and then enable trust.
For Android, it’s much more troublesome. You need to install the certificate to the system directory or the user directory depending on the device. Although I recommend installing the certificate into the system directory, this requires that the device can be rooted. If it is an emulator, it is easy to handle. If it is a real machine, there is no good solution. Generally, it can only be installed to the user directory. If it is installed in the user directory, you need to write an additional xml network configuration file in your Android project to let your application trust the certificates in the user directory. You can follow all the prompts in the reqable mobile app.
The Reqable mobile app will automatically check the installation status of the certificate. If the installation is not successful, a red prompt will appear on the page: Certificate is not installed.
If you have completed this step, congratulations, the entire preparation process is over. 🍺🍺🍺
2. Capture Traffic
Before capturing traffic, we first select the remote device (named with IP:Port) in the mobile side drawer. And then tab the floating action button to start recording.
The Reqable mobile app will start the VPN service and forward the mobile traffic to the Reqable desktop. This is why it can capture traffic without Wi-Fi proxy. On Android, you can also capture traffic for specific apps and ignore others.
The system will prompt you to configure and enable VPN permissions, please click allow.
After Reqable mobile app enters recording mode, Reqable desktop will also automatically enter recording mode and wait for traffic to enter.
When an HTTP request is processed, we can view and analyze it on the Reqable desktop. For example, use breakpoints, repeat, rewrites, scripts, etc.
For Android devices, Reqable also supports viewing application info on the desktop, although this requires some additional configuration.
After configuring the Magic Service, restart recording, you can see the application info of each request on the desktop. Isn’t this 🆒?
3. Mock API
Finally, let’s try some other features. I wrote a simple Android application My Application, nested with a WebView, and loaded the homepage of Reqable.
val web = findViewById<WebView>(R.id.webview)
web.webViewClient = WebViewClient()
val settings = web.settings
settings.javaScriptEnabled = true
web.loadUrl("https://reqable.com")In order to remove the interference of other application traffic, I added my demo application into the allow list. In this way, I can only capture the traffic I need.
Next, start recording, and will see that the Reqable desktop has captured the traffic of my demo app.
Now let’s assume a test scenario where we need to change the text ‘Reqable’ to ‘Awesome’. How to do this?
Just write oneline of Python script!
response.body.replace('Reqable', 'Awesome')
Then, Let’s reload the WebView to see the effect. We can see that all matching fields in the picture below have been replaced by ‘Awesome’.
OK, everything is as expected. 🎉🎉🎉
The blog ends here, thanks for reading everyone, bye!