Sniffing an Android app to find API URL

Question

I'm curious as to how I could figure out the API URL an Android application (any app I have installed) uses if it makes API calls to some online server (a RESTful service for example). I presume I have to capture packets on the device and maybe analyse them in Wireshark or something to find the URL? I'm fairly competent in Java/Android development, but a bit lost when it comes to any sort of network analysis business.

Essentially, you install Charles on your computer, tell your Android device to use that computer as a HTTP proxy, and then all requests will be sent through there, allowing you to see the individual requests made through apps. SSL is a little more complicated. — Lesleh, Dec 29 '13 at 12:42

score 99 · Accepted Answer · edited Jun 16 '19 at 06:39

you can do this with help of WireShark. I am listing steps here

Install WireShark on your computer
now we have to create Android virtual device(AVD) so we will download Android SDK from official site. Android SDK come with emulator for testing
after setting up Android SDK, create a Android virtual Device(AVD) on which we will install app
start that virtual device. you can use command line to start (emulator @<AVD name>)
after creating virtual device install app using adb command adb install app_file_name.apk
now we can start capturing the packets so I will suggest to close other application on your computer which are using network so our captured packets would be more relevant.
now start wireshark with root access
select interface which you want to capture and click start to start capturing.
now start using that app so packets will transfer to and fro and wireshark will capture it.
if you have used app covering all sort of activity then you can stop wireshark to capture packets.
now start main business to analyse packets carefully but not all packets are usefull for our job. so lets filter packets which are relevant for you. lets your IP address is 192.168.0.32 then filter all the packets whose IP is this. so filter expression will be ip.addr==192.168.0.32 apply this filter. still we an apply another filter to list up only relevant packets only so possibly that app is accessing API with HTTP protocol so apply HTTP filter. expression would be http. you can apply both are filter at once ip.addr==192.168.0.32 and http press enter to apply.
see the info carefully for listed packets you will see lot of important details, API keys, cookies etc

what about https? İf app connecting over https protocol still can whireshark log? — savepopulation, Jul 10 '15 at 05:06
with https, protocol is "TLS 1.2" and the request is encrypted so, the request is logged by wireshark BUT not much usefull info (No endpoint, no cookies) — minhhq, Mar 12 '20 at 04:42

score 31 · Answer 2 · edited May 13 '20 at 14:55

31

A very fast method.
Go to PlayStore, search for Packet Capture

Download, install and run.
It's easy simple and fast. It will give you details about the APIs, URLs and response with their headers.

This application follows the concept of Packet Sniffing. Thus, this might not work with much secured applications like WhatsApp, Facebook, Twitter.

UPDATE 1:
The ~~Packet Capture~~ is no more available in playstore, try OS Monitor

UPDATE 2:
The Packet Capture is available again.

edited May 13 '20 at 14:55

Anfuca

1,329
1
14
27

answered Oct 04 '17 at 17:08

reverie_ss

2,396
23
30

The app is no more available on Play Store. Is there any replacement solution? – Kr1 Oct 31 '18 at 06:27
@118218 You can try with this https://play.google.com/store/apps/details?id=com.eolwral.osmonitor – reverie_ss Oct 31 '18 at 08:37
3

The original suggested app is still available (again) as before. – Forage Mar 02 '19 at 14:20
This is easy and worked for me. This should be the accepted answer, Thanks. – Onkar Musale Aug 18 '20 at 08:06
7

Currently broken in recent android. – Edza Feb 27 '21 at 11:50
Any alternative? Because this app is not available for my device even if my phone has newer version for android. – Ali Sajjad May 23 '23 at 07:21

Mohammed Javad · Answer 3 · 2021-04-21T09:46:43.307

In windows 10 machine just follow the below steps:

Go to Settings > Network & Internet > Mobile hotspot and enable Share my internet connection with other devices.
Connect your Mobile Device to that shared hotspot.
Now for getting internet access in your mobile click on Change adapter options.
Go to properties by right click on the the Network Adapter from which the internet is being shared to your windows machine.
Tick the Internet Connection Sharing options in the Sharing tab by selecting the appropriate connection (Local Area Connection used by mobile device) and click ok.

Now you will be able to see all the network traffic of the mobile device in Wireshark if you select the Local Area Connection used by mobile. For filtering the result by http traffic you can enter http in the filter field and for https web traffic you can enter tls.handshake.type eq 1

easy solution, but for analyzing HTTPS content with modern Android Apps it's nearly impossible — Falco Alexander, Feb 18 '21 at 07:23

Davor Josipovic · Answer 4 · 2021-06-07T19:30:31.637

Download Android +6.0 image for PC from this site: https://www.android-x86.org/.

For example: https://www.android-x86.org/releases/releasenote-6-0-r3.html

Make sure that your app works with this Android version -- you can check the minimum Android version on Google Play store --, and don't take a too high number for the Andriod version: the higher the number, the more security constraints is has.

Install VirtualBox, mount the ISO image, boot Android, and install the app through Google Play.

Now you have two options:

If traffic is unencrypted, you can log all NIC traffic to a text file. e.g. VBoxManage modifyvm "vm-name" --nictrace1 on --nictracefile1 c:\file.pcap (cf. here)
If traffic is encrypted, you can use a man-in-the-middle approach. An app that allows this is HttpCanary. It will make an VPN connection and redirect your traffic through that VPN. It decrypts and works well, but take care with your private data.
If the app is using certificate pinning, then it becomes more complicated. Read this blog. You will have to use this approach on x86 images. Note that in that article, the author is using Android x86 8.1 (not x64!) and Xposed Android SDK27. Good luck!!

Honestly think this should be the accepted answer! HttpCanary is what I used in the past and I forgot the name since it was removed from the app store. Got the APK and able to introspect my APIs just fine :) — Brandin Arsenault, Jun 13 '22 at 14:02

score 0 · Answer 5 · answered Jul 13 '17 at 22:15

0

Use debug proxy. Click on the play Button and you will be able to capture URLs and view more details

https://play.google.com/store/apps/details?id=com.dans.apps.webd

answered Jul 13 '17 at 22:15

user8258945

11
1

score 0 · Answer 6 · answered Jul 26 '17 at 06:52

install virtual box and genymotion http://www.2daygeek.com/install-upgrade-oracle-virtualbox-on-ubuntu-centos-debian-fedora-mint-rhel-opensuse/ and http://www.2daygeek.com/install-genymotion-android-emulator-on-ubuntu-centos-debian-fedora-rhel-opensuse-arch-linux-mint/#
Run genymotion . 3 . after that your desire android ADV install .
now start wireshark with root access

score 0 · Answer 7 · answered Aug 22 '21 at 11:35

try classic tcpdump

$ tcpdump -D
1.eth0 [Up, Running, Connected]
2.any (Pseudo-device that captures on all interfaces) [Up, Running]
3.lo [Up, Running, Loopback]
4.bluetooth-monitor (Bluetooth Linux Monitor) [Wireless]
5.usbmon2 (Raw USB traffic, bus number 2)
6.usbmon1 (Raw USB traffic, bus number 1)
7.usbmon0 (Raw USB traffic, all USB buses) [none]
8.nflog (Linux netfilter log (NFLOG) interface) [none]
9.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none]
10.dbus-system (D-Bus system bus) [none]
11.dbus-session (D-Bus session bus) [none]
12.bluetooth0 (Bluetooth adapter number 0)
13.eth1 [none, Disconnected]

Bashir Momen · Answer 8 · 2022-05-04T20:26:36.593

0

I know that this thread is quite old but in 2022 using Postman Proxy can help. Check this link out to see the simple steps https://blog.postman.com/using-postman-proxy-to-capture-and-inspect-api-calls-from-ios-or-android-devices/

see here to setup for https traffic https://learning.postman.com/docs/sending-requests/capturing-request-data/capturing-https-traffic/

edited May 04 '22 at 20:26

answered May 04 '22 at 20:16

Bashir Momen

1,461
19
17

score 0 · Answer 9 · answered Oct 13 '22 at 21:31

You can use this: https://github.com/kendarorg/HttpAnsweringMachine Is able to record (change and replay) all http AND https calls plus intercepting all servers contacted. Just set it up like this: https://github.com/kendarorg/HttpAnsweringMachine/blob/main/docs/generated/googlehack_android.md add the dns and ssl certificates for the addresses you need to capture then record them (https://github.com/kendarorg/HttpAnsweringMachine/blob/main/docs/generated/localsample.md). It will store everything readable. Just need a pc or mac with java 11 and is ready to start :) PS I am the creator of the project :p

Sniffing an Android app to find API URL

9 Answers9

Linked