How To Setup Application Network Traffic Monitoring using MITMProxy, Objection & Frida

As described in my previous blog (https://medium.com/@rudranilmaity01/network-traffic-analysis-of-android-apps-using-mitmproxy-and-frida-afb69afc389f); this write up will just be the addition to that: containing the necessary steps to replicate the analysis process I performed.

Tool used:

1. MITM Proxy (Version 10.1.3): https://www.mitmproxy.org/downloads/#10.1.3/
2. frida-server-16.1.4-android-x86 (Version 16.1.4): https://github.com/frida/frida/releases
3. frida-gadget-16.1.4-android-x86.so (Version 16.1.4): https://github.com/frida/frida/releases

Frida Gadget is not necessary if analyzing system apps. But for analyzing third party apps in rooted/jailbroken devices, using Frida-Gadget is compulsory. As I was using an android emulator on rooted state, this was necessary.

On the host machine:

1. Install Frida tools using pip (I used Git Bash for this command): $ pip install frida-tools
2. Push Frida server to the device (Windows Powershell): adb push /data/local/tmp
3. Push Frida gadget to the device (Windows Powershell): adb push /data/local/tmp

Now the installation and initialization of Frida is done inside the ADB shell.

4. Spawning the shell (Windows Powershell): adb shell

5. Inside adb shell: # cd /data/local/tmp/

After that I used the “ls” command to check the files. Then for ease of use, I renamed the “frida-server-16.1.4-android-x86” file as “server” and and “frida-gadget-16.1.4-android-x86.so” as “gadget”; using the “mv” command. Then I changed the permissions of the files to maximum read, write, and execute authority.

6. Inside adb shell: # chmod 777 server

7. Inside adb shell: # chmod 777 gadget

8. Inside adb shell: # nohup ./frida-server &

9. Inside adb shell: # nohup ./frida-gadget &

The (8) and (9) commands are used for running frida server and gadget in such a way that it does not receive the “hang up” (HUP) signal. The “&” part runs frida server and gadget in the background; which allowed me to continue using the adb shell. Then I launched the MITM Proxy’s web interface using the command, “$ mitmweb” in the Git Bash terminal. Before that, I changed the proxy of the emulator to my device’s IP address and the port to 8080. This enabled me to trace all the network traffic going through the IP and port 8080. I also turned off all other apps in my system which might create collision or jeopardy in traces of network traffic. Then I started the analysis in another powershell tab.

10. Checking running processes in the emulator (Windows Powershell): frida-ps -U -a

This shows all the applications running in the device with their application name, PID and package name.

11. Interacting with the app with objection (Windows Powershell): # objection -g <package name> explore

12. Disabling ssl pinning (Inside objection shell): # android sslpinning disable

This is necessary to trace network traffic of the application because third party apps use SSL Pinning to enhance security over HTTPS connections; primarily preventing MITM (man in the middle) attacks. After this, MITM Proxy should capture all the network traffic being created by the application.