Debug Android SSL Traffic with Charles Proxy

Ferry Djaja
4 min readFeb 9, 2018

--

Ever wonder how does the app get the data from? what is the API are they using to get the information? for instance where to get the bus arrival information if there is no official API ?

Here is the step by step instruction on how to debug SSL traffic for the existing Android app. Our app victim is NUS Buses app

NUS Buses

Tools

You need to install the following tools in your machine. I am using Windows 10 laptop for this purpose.

  1. ADB (Android Debug Bridge)
    https://developer.android.com/studio/command-line/adb.html
  2. apktool
    https://ibotpeaches.github.io/Apktool/
  3. Java (1.8 recommended)
    http://www.oracle.com/technetwork/java/index.html
  4. SignApk
    https://github.com/techexpertize/SignApk

Get the installed apk from your Android device

Install the NUS Buses app on your Android device. Once you installed, connect your Android device to your laptop.

Open the command prompt and type command to get the path to the package

adb shell pm list packages -f nus 

Pull the package and save it to your folder:

adb pull /data/app/bazingaa.nusbuses-1/base.apk

And check if the base.apk is in your local folder.

Pull the apk from Android device

Decompile, rebuild and install .apk

In these steps, we need to decompile the apk from the previous step, modify the AndroidManifest.xml to ensure Android trusts the certificate and rebuild & install the modified apk to your Android device.

apktool d -f base.apk
Decompile apk

Once you have successfully decompiled the apk, go to the output folder (../base) and open AndroidManifest.xml. Let’s open and modify this file.

AndroidManifest.xml location

We need to add this line under application tag

android:networkSecurityConfig=”@xml/network_security_config” android:debuggable="true"

The modified AndroidManifest.xml would be like this:

Modified AndroidManifest.xml

We also need to add network_security_config.xml under ../res/xml folder.

Location of network_security_config.xml
network_security_config.xml

Rebuild the apk:

apktool b base 
Rebuild the apk

If there is no error, you will get the base.apk under ../base/dist folder.

base.apk

Let’s uninstall the original app from Android device:

adb uninstall bazingaa.nusbuses
Uninstall the original app

We need to install the modified apk (base.apk) and sign it. All Android applications have to be signed. I am using SignApk tool in this case:

java -jar signapk.jar certificate.pem key.pk8 base.apk base-signed.apk

It will generate base-signed.apk.

Let’s install base-signed.apk to Android device:

adb install base-signed.apk

Click Install to continue. Once it is successfully installed, open the app and check if there is no error.

Install base-signed.apk

Configure Charles Proxy

Open Charles Proxy app and go to Proxy > Proxy Setting. Indicate port 8888 and click OK. Note down the IP address of your machine (for my case is 192.168.0.114).

Specify port

Configure Android Device

Go to Settings > Connections > WiFi and long press the connected WiFi and click Manage network settings.

Enter the proxy host name with your IP address of your machine and proxy port is 8888. Click Save.

Install Charles Root Certificate

Open the browser on Android device and go to URL:

chls.pro/ssl
Install Charles root certificate

Debug the App

Open the NUS Buses app and click on one of the pick up point. Now go back to your Charles Proxy app and you will see it is getting request from “comfortdelgro.com.sg”.

Under tab Notes, you will get the message “SSL Proxying not enabled for this host: enable in Proxy Settings, SSL locations”.

Enable Charles SSL Proxy Setting

Go to Proxy > SSL Proxying Settings and add host *.comfortdelgro.com.sg. Click OK.

Run the NUS Buses app again, and now you will get the host query “https://nextbus.comfortdelgro.com.sg/eventservice.svc/Shuttleservice?busstopname=AS7

And with the response feedback in JSON format.

That’s all. I have been using this method to analyze the traffic information for other apps like SMRTConnect and so some debugging.

Hope you enjoy and until next time.

--

--