Playing with proxy on Android🛡

How to inspect all HTTP & HTTPS requests from any app?

Philippe BOISNEY
Nov 16 · 3 min read
Our living room, to explore HTTP requests in a cozy place.

When you’re developing an Android app, it’s sometimes necessary to exactly debugging what’s going on behind the scenes, especially for network requests (HTTP & HTTPS).

Some powerful debugging tools already exist and they do amazing work, like Stetho, Retrofit’s Interceptors, or Android Studio Network Profiler. Also, they can be added/configured to your project pretty easily 👌.

What if you want to inspect or debug other network requests, requests sent not directly by your app, but from an SDK you have been installed (Google Analytics, Facebook Ads, etc…)? 🧐

One solution is to use a proxy 🛡.

1. Proxy Installation

If you have a Mac, you’ll just have to install it with brew…

$ brew install mitmproxy

…and launch the proxy with:

$ mitmproxy

Nothing to show, yet.

2. Device Configuration

Finally, tell your device which proxy to use. With an AVD emulator, this is actually pretty simple:

Now, mitmproxy should be able to intercept and read any HTTP request from your device 👍.

🤓 Sounds cool, but why HTTPS requests are not intercepted?

Actually, they are! But mitmproxy can not read them, because those requests are encrypted (actually that’s all the point of HTTPS!).

3. HTTPS Reading

⚠️ Perform this attack only with an application you own. Seriously. ⚠️

Basically, you will have to tell Android that mitmproxy is a trusted certification authority that is able to provide dummy certificates for each of the SSL sites that your device visits. In this way, mitmproxy will be able to decrypt encrypted traffic on the fly 👌.

In order to install the mitmproxy CA certificate, we will need to do some configuration. I choose to show you the way that will work in most cases, without a rooted device.

Now, you should be able to decrypt and analyze all the HTTPS requests of your Android applications 🎉 (except if your application implements Certificate Pinning security).

Here is what it looks like with one of my demo Github project:

As you can see, mitmproxy is a very powerful tool. In this post, I only show you the way to debug HTTP & HTTPS requests but mitmproxy has more useful features that could help you to debug complex scenarios or just secure a bit more your application.

Always use it with caution and on applications you own ⚠️.

Happy debugging! 🛡

If you want to join our Bureau of Technology or any other Back Market department, take a look here, we’re hiring! 🦄

www.backmarket.com

Back Market Engineering

Creative engineers building a less wasteful world - www.backmarket.com

Philippe BOISNEY

Written by

Android Software Engineer @backmarket 📱🏡 💚

Back Market Engineering

Creative engineers building a less wasteful world - www.backmarket.com

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade