Playing with proxy on Android🛡

How to inspect all HTTP & HTTPS requests from any app?

Philippe BOISNEY
Nov 16, 2019 · 3 min read
Our living room, to explore HTTP requests in a cozy place.

When you’re developing an Android app, it’s sometimes necessary to exactly debugging what’s going on behind the scenes, especially for network requests (HTTP & HTTPS).

Some powerful debugging tools already exist and they do amazing work, like Stetho, Retrofit’s Interceptors, or Android Studio Network Profiler. Also, they can be added/configured to your project pretty easily 👌.

What if you want to inspect or debug other network requests, requests sent not directly by your app, but from an SDK you have been installed (Google Analytics, Facebook Ads, etc…)? 🧐

One solution is to use a proxy 🛡.

1. Proxy Installation

For our need, I choose to use mitmproxy (but others exists, like Charles for example). Installation steps can be found here.

If you have a Mac, you’ll just have to install it with brew…

$ brew install mitmproxy

…and launch the proxy with:

$ mitmproxy

Nothing to show, yet.

2. Device Configuration

Then, find out what is the local IP address of your computer (because the proxy is running on it). I used ifconfig to get it on my Mac:

Finally, tell your device which proxy to use. With an AVD emulator, this is actually pretty simple:

Now, mitmproxy should be able to intercept and read any HTTP request from your device 👍.

🤓 Sounds cool, but why HTTPS requests are not intercepted?

Actually, they are! But mitmproxy can not read them, because those requests are encrypted (actually that’s all the point of HTTPS!).

3. HTTPS Reading

In order to be able to read those HTTPS requests, we will have to perform a kind of man in the middle attack.

⚠️ Perform this attack only with an application you own. Seriously. ⚠️

Basically, you will have to tell Android that mitmproxy is a trusted certification authority that is able to provide dummy certificates for each of the SSL sites that your device visits. In this way, mitmproxy will be able to decrypt encrypted traffic on the fly 👌.

In order to install the mitmproxy CA certificate, we will need to do some configuration. I choose to show you the way that will work in most cases, without a rooted device.

Now, you should be able to decrypt and analyze all the HTTPS requests of your Android applications 🎉 (except if your application implements Certificate Pinning security).

Here is what it looks like with one of my demo Github project:

As you can see, mitmproxy is a very powerful tool. In this post, I only show you the way to debug HTTP & HTTPS requests but mitmproxy has more useful features that could help you to debug complex scenarios or just secure a bit more your application.

Always use it with caution and on applications you own ⚠️.

Happy debugging! 🛡

If you want to join our Bureau of Technology or any other Back Market department, take a look here, we’re hiring! 🦄

www.backmarket.com

Back Market Engineering

Creative engineers building a less wasteful world …

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store