14

I want to monitor HTTPS traffic from my application to remote server. I am trying to follow this instruction and it works for HTTP (without s), but not for HTTPS.

What is wrong? Should I write some custom code in my application to use https-proxy ?

sunil
  • 6,444
  • 1
  • 32
  • 44
Ezh
  • 579
  • 1
  • 7
  • 26

4 Answers4

6

The easiest way to do this is to use CharlesProxy to proxy your device or emulator traffic for you. The only extra step you need to do is to install the CharlesProxy SSL certificate on your device/emulator which is very straight forward:

Download the certificate from Charles Proxy (it's in their help menu) and place it on your device, then install via security settings on your device.

You then configure your device or emulators network connection to use a manual proxy and set it to the Charles Proxy address and port. Enable SSL proxying and your SSL connections will be securely routed end-to-end via Charles and Charles will be able to show you the content of requests and responses in the clear.

Jerry Brady
  • 3,050
  • 24
  • 30
0

I'm using WireShark for sniffing, it allow you to monitor and filter raw data. But because you using https and all transactions encrypted i suppose it can't help you. May be you can switch from https to http for debug, and later when all will be works fine change protocol back to https

Dmitriy Tarasov
  • 1,949
  • 20
  • 37
0

Do you mean you can't see the traffic at all or do you get it encrypted? Is this a web application or native application? which Android version are you using? phone or emulator?

Normally, if you set up the proxy properly, you will get the traffic, but encrypted so you can't read it. In order to see the actual content in Fiddler you would need your device to trust Fiddler's root certificate (used to create fake certificates on the fly). See this:

http://www.fiddler2.com/fiddler/help/httpsdecryption.asp

Unfortunately, I have not found a way to add root certificates to an android device other than rooting it and replacing the certificate store (like this)

Yasei No Umi
  • 1,574
  • 9
  • 23
  • 1
    The management of trusted root certificates has changed significantly with Android 4. Every cert is an own file stead of one cacert.bks. AFAIR installation of new trusted root certs is possible without rooting since Android 4. – Robert Aug 05 '12 at 11:34
  • Thanks @Robert, can you elaborate how you do that? (http://support.google.com/android/bin/answer.py?hl=en&answer=1649774 ?) – Yasei No Umi Aug 05 '12 at 12:02
-3

https means http secure, so it obviously can't be sniffed so easily. what would be the point if it would be the same unsecure thing as normal http?

you have to learn a bit more about secure network comunications. or, long story short, at least you will have to learn how to use a specilly devised http proxy like charles http://www.charlesproxy.com/documentation/welcome/ so you will be able to monitor you own https traffic in a clear form.

Alister Whitehat
  • 1
  • 1
    You absolutely can sniff HTTPS traffic via MitM. Take a look at Fiddler. This is often for debugging/reverse engineering. – Tyler Montney Aug 13 '18 at 21:13