Debug Android SSL Traffic with Charles Proxy
Ever wonder how does the app get the data from? what is the API are they using to get the information? for instance where to get the bus arrival information if there is no official API ?
Here is the step by step instruction on how to debug SSL traffic for the existing Android app. Our app victim is NUS Buses app
Tools
You need to install the following tools in your machine. I am using Windows 10 laptop for this purpose.
- ADB (Android Debug Bridge)
https://developer.android.com/studio/command-line/adb.html - apktool
https://ibotpeaches.github.io/Apktool/ - Java (1.8 recommended)
http://www.oracle.com/technetwork/java/index.html - SignApk
https://github.com/techexpertize/SignApk
Get the installed apk from your Android device
Install the NUS Buses app on your Android device. Once you installed, connect your Android device to your laptop.
Open the command prompt and type command to get the path to the package
adb shell pm list packages -f nus
Pull the package and save it to your folder:
adb pull /data/app/bazingaa.nusbuses-1/base.apk
And check if the base.apk is in your local folder.
Decompile, rebuild and install .apk
In these steps, we need to decompile the apk from the previous step, modify the AndroidManifest.xml to ensure Android trusts the certificate and rebuild & install the modified apk to your Android device.
apktool d -f base.apk
Once you have successfully decompiled the apk, go to the output folder (../base) and open AndroidManifest.xml. Let’s open and modify this file.
We need to add this line under application tag
android:networkSecurityConfig=”@xml/network_security_config” android:debuggable="true"
The modified AndroidManifest.xml would be like this:
We also need to add network_security_config.xml under ../res/xml folder.
Rebuild the apk:
apktool b base
If there is no error, you will get the base.apk under ../base/dist folder.
Let’s uninstall the original app from Android device:
adb uninstall bazingaa.nusbuses
We need to install the modified apk (base.apk) and sign it. All Android applications have to be signed. I am using SignApk tool in this case:
java -jar signapk.jar certificate.pem key.pk8 base.apk base-signed.apk
It will generate base-signed.apk.
Let’s install base-signed.apk to Android device:
adb install base-signed.apk
Click Install to continue. Once it is successfully installed, open the app and check if there is no error.
Configure Charles Proxy
Open Charles Proxy app and go to Proxy > Proxy Setting. Indicate port 8888 and click OK. Note down the IP address of your machine (for my case is 192.168.0.114).
Configure Android Device
Go to Settings > Connections > WiFi and long press the connected WiFi and click Manage network settings.
Enter the proxy host name with your IP address of your machine and proxy port is 8888. Click Save.
Install Charles Root Certificate
Open the browser on Android device and go to URL:
chls.pro/ssl
Debug the App
Open the NUS Buses app and click on one of the pick up point. Now go back to your Charles Proxy app and you will see it is getting request from “comfortdelgro.com.sg”.
Under tab Notes, you will get the message “SSL Proxying not enabled for this host: enable in Proxy Settings, SSL locations”.
Enable Charles SSL Proxy Setting
Go to Proxy > SSL Proxying Settings and add host *.comfortdelgro.com.sg. Click OK.
Run the NUS Buses app again, and now you will get the host query “https://nextbus.comfortdelgro.com.sg/eventservice.svc/Shuttleservice?busstopname=AS7”
And with the response feedback in JSON format.
That’s all. I have been using this method to analyze the traffic information for other apps like SMRTConnect and so some debugging.
Hope you enjoy and until next time.