6

I have an android(4.2) app that uses the https to talk to the webservice. I want to debug/log every https that goes out. I have fiddler and wireshark to debug them, but everything looks encrypted. can a man-in-middle attack be setup with emulator and fiddler/wireshark to decode and display the http url and its params?

Michael Edenfield
  • 28,070
  • 4
  • 86
  • 117
vvra
  • 2,832
  • 5
  • 38
  • 82
  • 1
    "https (...) looks encrypted". That's what it does. https crypts things so that no sniffer can read it. What you could do is setup a proxy that intercept the negociation and replaces the certificate with yours, but android would reject it as it wouldn't match the host. – njzk2 Jan 28 '13 at 08:26
  • also, do you realize what you are asking? and the consequences if it were that easy? – njzk2 Jan 28 '13 at 08:27
  • however, if you are looking into debugging, i assume it is your app, here are 3 options : A/ start with http only, switch to https when every thing works. B/ debug on the server side. C/ use a debugger (!) – njzk2 Jan 28 '13 at 08:30
  • Fiddler has the capability to act as a Man-in-the-Middle proxy. You just have to enable the "decrypt HTTPS" option and proceed as described by Nikolay. – Robert Jan 28 '13 at 08:55
  • I could not do the above, as I do not have the control on that. – vvra Jan 28 '13 at 09:05

4 Answers4

2

You can use a MITM proxy, such as Burp. Once you install the CA certificate as trusted on the device/emulator, you will be able to decrypt SSL traffic.

Also, if you have the server private key (i.e., it is your own server), you can decrypt traffic intercepted with Wireshark if really need low-level info.

Nikolay Elenkov
  • 52,576
  • 10
  • 84
  • 84
  • I do not have the certificate of this server, and I could not find a way to install a self-signed certificate into the android emulator. – vvra Jan 28 '13 at 09:04
  • 1
    Same as on the device: Settings->Security->Install from storage. If you copy the Burp certificate to external storage (SD card), it will pick it up and give you the option to install. – Nikolay Elenkov Jan 28 '13 at 09:06
1

The easiest option I've found is using mitmproxy. Simple steps laid out here:

Ben G
  • 26,091
  • 34
  • 103
  • 170
0

I once had that very same need.

Good explanation can be found here: https://security.stackexchange.com/questions/8145/does-https-prevent-man-in-the-middle-attacks-by-proxy-server

Turns out some companies do that especially in case of mobile browsers (Opera, Nokia) - to save bandwidth they pass all the traffic through their own proxy server and compress it. What is interesting is that they also work with HTTPS-enabled sites. They install their (somewhat fake) certificate in your local trusted store and the proxy returns the compressed response signed with that fake certificate for the browser to not complain against a potential attack.

I haven't found any tool that would help in creating such a proxy so in the end (since I was in control of the webservice and the server it was running on) I enabled pure HTTP during development. That probably saved me hours of work ;)

Community
  • 1
  • 1
andr
  • 15,970
  • 10
  • 45
  • 59
  • You can use [Fiddler](http://www.telerik.com/download/fiddler) or [Burp](http://www.portswigger.net/burp/) as web proxies to intercept and decrypt https traffic. – Aniket Thakur Mar 29 '15 at 04:52
0

Yes you can just use Fiddler to do so. You need to enable "Decrypt HTTPs traffic" option in Tools -> Options. Fiddler provides a CA cert for SSL communication. All you have to do is install the same on your Android device. You can get the cert by going to the following URL from the browser

http://machinesIPAddress:8888/FiddlerRoot.cer

where machinesIPAddress is the address of the machine where fiddler is running. After installing you can see the same under

Settings -> Security -> Trusted Credentials -> User Tab

I have listed down the entire procedure with screenshots. Hope that helps -

Intercepting Android network calls using Fiddler Web Proxy

Aniket Thakur
  • 66,731
  • 38
  • 279
  • 289