![]() My proxy of choice is Fiddler (classic), it’s pretty nice looking and easy to use for both observing and modifying traffic. We’ll get started by installing and preparing the proxy server we want to use. Proxy and certificate setup Installing the proxy When this is done the proxy decrypts the incoming request and can do whatever it wants with it, before it sets up a new https connection with the remote server, pretending to be the app and thus acting as a man in the middle (MITM). ![]() ![]() If you can get the phone to trust the proxy’s certificate, for example by installing it as a trusted certificate, the phone will happily accept it when it is presented by the proxy. However, since the proxy’s certificate is not trusted by the phone the phone will not accept this. To be able to intercept the https traffic the proxy could pretend to be the remote server and present it’s own certificate to the phone when it is trying to connect to the remote server. By doing this you can easily see all http traffic, but since https traffic is encrypted the proxy is not able to read the data. If you want to intercept traffic going in and out from a phone you can set up an http/https proxy server, make sure your phone uses it and then monitor all traffic going trough the proxy. In this post I’m going to describe how you can do this with Burp Suite and the Android Studio Emulator running any Android version from 4 until 11 which is the latest version at the time of writing. Being able to intercept, inspect and modify https traffic between an app and a server can be very useful.
0 Comments
Leave a Reply. |