When you’re developing an Android app, it’s sometimes necessary to exactly debugging what’s going on behind the scenes, especially for network requests (HTTP & HTTPS).

Some powerful debugging tools already exist and they do amazing work, like Stetho, Retrofit’s Interceptors, or Android Studio Network Profiler. Also, they can be added/configured to your project pretty easily 👌.

What if you want to inspect or debug other network requests, requests sent not directly by your app, but from an SDK you have been installed (Google Analytics, Facebook Ads, etc…)? 🧐

One solution is to use a proxy 🛡.

1. Proxy Installation

For our need, I choose to use mitmproxy (but others exists, like Charles for example). Installation steps can be found here.

If you have a Mac, you’ll just have to install it with brew…

$ brew install mitmproxy

…and launch the proxy with:

$ mitmproxy

2. Device Configuration

Then, find out what is the local IP address of your computer (because the proxy is running on it). I used ifconfig to get it on my Mac:

Finally, tell your device which proxy to use. With an AVD emulator, this is actually pretty simple:

Now, mitmproxy should be able to intercept and read any HTTP request from your device 👍.

🤓 Sounds cool, but why HTTPS requests are not intercepted?

Actually, they are! But mitmproxy can not read them, because those requests are encrypted (actually that’s all the point of HTTPS!).

3. HTTPS Reading

In order to be able to read those HTTPS requests, we will have to perform a kind of man in the middle attack.

⚠️ Perform this attack only with an application you own. Seriously. ⚠️

Basically, you will have to tell Android that mitmproxy is a trusted certification authority that is able to provide dummy certificates for each of the SSL sites that your device visits. In this way, mitmproxy will be able to decrypt encrypted traffic on the fly 👌.

In order to install the mitmproxy CA certificate, we will need to do some configuration. I choose to show you the way that will work in most cases, without a rooted device.

Now, you should be able to decrypt and analyze all the HTTPS requests of your Android applications 🎉 (except if your application implements Certificate Pinning security).

Here is what it looks like with one of my demo Github project:

As you can see, mitmproxy is a very powerful tool. In this post, I only show you the way to debug HTTP & HTTPS requests but mitmproxy has more useful features that could help you to debug complex scenarios or just secure a bit more your application.

Always use it with caution and on applications you own ⚠️.

Happy debugging! 🛡

If you want to join our Bureau of Technology or any other Back Market department, take a look here, we’re hiring! 🦄