1

I have an Android mobile app, and I can't see some requests of it's, when trying to sniffing (this mobile app doesn't require any type of auth from user)

I've tried to use Proxyman on iOS and I've catched requests and responses (even HTTPs), but I can't see all of them. For example, I can't see request with the details of product, or with list of them. Proxyman developer answered me:

Maybe the app doesn't use URLSession (Apple Framework) to make a networking request. If it's an online app, it can be a React Native, Flutter app, which (by default) doesn't go through the VPN. Thus, Proxyman could not capture it.

I've tried Wideshark / Charles / Mitmproxy on my Android emulator (tried Android versions 5.1 - 11.0) but it also didn't work

I've tried decompile APK of this application (with apktool) and I've found many .java files, but it's too hard to find API paths there, because all names are unreadable (but I've found some, but it's not enough)

Can you tell me, what can I do, to get API of this mobile app?

I really don't know, how it can be so hard, why can't I get a simple API calls, because my app somehow knows, where should it go and which type of data it should get (in browser it so much easier!)

Robert
  • 39,162
  • 17
  • 99
  • 152
No Root Rights
  • 13
  • 3
  • Please read the first section of https://stackoverflow.com/a/62731432/150978 again. If you see some HTTPS requests but not all then most likely certificate pinning is used. About pinning see e.g. https://stackoverflow.com/a/64659970/150978 – Robert Feb 02 '23 at 12:48
  • Thanks! I am trying to get as much info about that as I can get, I just got lost, when was trying to install Magisk + Edxposed + TrustMeAlready Xposed module on Android Studio emulator Maybe you have some article about that? (I am not a mobile developer at all) – No Root Rights Feb 02 '23 at 13:33
  • If it is just one app on a rooted device I would prefer Frida+Objection as it is easier to install and more flexible to adapt. – Robert Feb 02 '23 at 17:08

1 Answers1

3

Do you have root access? To intercept an Android app really your only options really are root access (and changing the device system configuration) or modifying the app APK. For most apps (all apps that aren't specifically configured to allow user certificates/be debuggable) there is no other possible way to intercept the traffic.

I've written a detailed breakdown of how android HTTPS trust works, and the low-level details of how to intercept it, here: https://httptoolkit.com/blog/intercepting-android-https/. That might provide more context, but the conclusion is the same: you need to modify the system, or modify the app.

If you don't have root access, so you can't modify the system, apk-mitm is usually your best option, and if that doesn't work then you will have to manually investigate the Java code yourself.

Be aware though that you can always use an emulator to run the app, and most emulators (all except the official 'Google Play' emulator versions - e.g. the official 'Google API Services' & vanilla images are root-accessible) will allow root access, so this is normally possible. You can also use emulators like Genymotion which has a free personal use edition.

If that's practical for you, I'd go that way - I've written a full walkthrough to emulator setup & 3rd party app interception here: https://httptoolkit.tech/blog/inspect-any-android-apps-http/

Last possibility: if interception for most HTTPS is working, but just some requests are failing, then you need to disable certificate pinning. You can do this using Frida, I've written a general-purpose certificate unpinning script for Android you can use Frida here: https://github.com/httptoolkit/frida-android-unpinning

Tim Perry
  • 11,766
  • 1
  • 57
  • 85