Packet Sniffing (Android) Apps for API Mapping at SKOOT
When the term “packet sniffing” is heard, one might initially think of security breaching. While there’s no doubt packet sniffing can be used for illegally hacking into software applications, it can also serve a better purpose when used with good intentions (and hopefully with previous agreement by the owner/s of the software).
Developers can set up packet sniffers to gain better insight into where, when, and how frequently specific APIs are getting called in their application flow. With the further ability to carefully analyse additional details for each API. Not to mention, security breaching your own app offers great insight on how to improve any safety measures already in place.
So, how does one actually go about setting up a packet sniffer for an app?
One of the more popular ways is through using software, WireShark. However, we chose a route that uses HTTP Canary — an open-source Android application for packet sniffing. This was mainly due to the nature of the app at SKOOT. Since we are a lift-sharing and errand app, even if one is able to test it by spoofing geolocations, we often thoroughly test it out on the road. Therefore having a more portable packet sniffer meant we could map APIs on those trips to the supermarket or when running an errand for a friend.
Considering this was my first task at a completely new job as a recent graduate, and having previously never set up a packet sniffer of any shape or form, the easiest (and most portable) solution I came up with, was the following:
To set up a packet sniffer like HTTP Canary, you need a phone without a certificate, which means… You will require a rooted phone, which means…All data will need to be completely wiped before that can be done.
For this, I would recommend using a designated testing phone, or a spare phone that you don’t need to use for your everyday personal use. I had an old OnePlus5 that I was willing to factory reset for testing this out. If you do want the data currently stored on the device, make sure to back up before starting the rooting process. For different phones, the rooting processes may be slightly different.
After searching for a significant time online, and failing a few times, the solution was to download TWRP and Magisk.
TWRP — “Team Win Recovery Project”, is an open-source community project, originally set up to work on porting the network WiMAX to CM7 for the mobile device HTC EVO 4G. Now it is the leading custom recovery for Android phones, which is primarily used for installing custom software on your device, often including things such as rooting your device or replacing the firmware.
Magisk — “The Magic Mask for Android”, is a tool used for customising Android devices. It’s known as a “systemless” root method, which means it’s a way to modify the system without actually modifying or adding files in the /system partition of the device, and instead, it works by modifications being stored safely in the boot partitions. This means the changes are undetected by Google SafetyNet.
Google SafetyNet is used to detect when a system has been tampered with and is able to block certain apps from working properly. This is usually a good safety measure, but can often work too aggressively, especially if you are trying to set up a packet sniffer.
The following steps were used to root my OnePlus5:
Step 0 (phone):
You first need to make sure you are a developer on your Android phone. Ensure this is in place first by going to Settings > About Phone, and tap “Build Number” 6 times.
Step 1 (device):
Enable 3 things in phone settings:
- Enable OEM unlocking by going to Developer options > OEM unlocking
- Enable Advanced reboot by going to Developer options > Advanced reboot
- Enable USB debugging by going to Developer options > Debugging > USB debugging
Step 2 (device):
This is where you want to back up any data from your device, and make sure you are running the latest version of the OS on your device.
Step 3 (laptop):
On your laptop, download the latest versions of:
- Magisk
- MagiskManager
- MagiskUninstaller (in case you need it later)
- twrp (for your specific mobile device)
Step 4 (laptop & device):
- Connect the device via USB. Open terminal or Powershell.
- Type in “ADB devices” and check to see your device is returned in the terminal:
- Reboot your Android into fast boot.
Step 5 (laptop)
- Type in “fastboot devices” and ensure “fast boot” is returned in the terminal:
Step 6 (laptop & device)
- Type in “fastbook oem unlock”:
- This will initiate a window onto your device. Click “Yes” using the hardware buttons to unlock the bootloader.
Step 7 (device):
Use a Root phone checker to ensure the phone was actually rooted before downloading HTTP Canary, and testing it out with the app you want to packet sniff!
Other helpful links for rooting your phone:
By using HTTP Canary you will be able to see a variety of different information coming from the apps you selected to packet sniff. That means you won’t only be able to see the API URLs that are getting called when certain buttons are pressed, but you’ll also be able to further investigate the HTTP responses, and other more sensitive information:
In Conclusion
Setting up packet sniffers, be it by rooting your actual device and setting up a packet sniffer, or by other routes such as setting up an AVD (Android Virtual Device) and a packet sniffer on your laptop, such as WireShark, can provide you and your engineering team a more clear lens as to what is actually happening behind the scenes in your application in real-time, providing a significant debugging advantage.
