Android Applications/https

From Archiveteam
Jump to navigation Jump to search

Requirements

Steps

1. Download all of the requirements
1.5. Pre-Setup

  • Depending on what type of app you want to save, you may want to install a different version of Android. You can set this up using the Nox Device Manager or a similar equivalent.
  • Close the emulator and go to the settings of the device manager and enable Root on it.
  • Turn on Root permissions on your file manager of choice. If it doesn't have one, please just get FV File Manager.

2. Get certificate

  • On PCAPdroid, go to the settings then enable TLS decryption
  • It will show a walkthrough, click next until it reaches the certificate part
  • click the Export button
  • retrieve the certificate from your phone to your PC (you can set up a shared folder; nox_share for Nox and MuMuSharedFolder for MuMu)

After retrieving the certificate, the process will vary depending on the emulator used. If you cannot install the certificate, follow step 3.5.

3. Nox Steps

  • Login to your Google account
  • Install the certificate
  • Go to /data/misc/user/0/cacerts-added using your file explorer of choice.
  • It is most likely the last modified certificate, but to confirm, the certificate name is structured like this: The name of the file should be the first four bytes of the certificate inverted (31dc2789->8927dc31 | basically it quite literally flips the bytes 31 dc 27 89 -> 89 27 dc 31) source
  • Move the certificate to /system/etc/security/cacerts
  • Restart Nox

3.5 MuMu Steps

  • Open command prompt
  • Run adb devices
  • Check the emulator IP; for MuMu it is often 127.0.0.1:7555, but it might be different.
  • Run adb connect <device IP here>
  • Run openssl.exe x509 -subject_hash_old -in <file here>
  • Use the string before the "BEGIN CERTIFICATE" section of the output as the certificate's filename; make the extension 0. (eg. 81c450f1.0)
  • Run adb push /<path-to-file>/81c450f1.0 /system/etc/security/cacerts
  • Run adb shell "chmod 664 /system/etc/security/cacerts/<cert name here>"

4. Using PCAPdroid

  • Check if TLS Decryption is enabled.
  • You must set up the capture filters when you start a capture. Just check what app you want to intercept.
  • You must also set up the export method, make it export to file for further analysis.
  • After a capture, you must save the SSL keys (sslkeylogfile.txt), save it with a distinctive filename so you won't be confused.

5. Viewing captures

  • Install Wireshark to view .pcap files
  • To view an individual .pcap file, go to Edit->Preferences->Protocols->TLS
  • Select the corresponding sslkeylogfile at "(Pre)-Master-Secret log filename".

Alternatives

HTTP Toolkit can be used instead of PCAPdroid, however it is useless without a paid subscription. Process Hacker can apparently be used, but the method hasn't been tested.

Certificate Pinning

Some apps either crash/terminate/stop working when they notice PCAPdroid. This is often because of certificate pinning.

To avoid this, you can either decompile the app using APKTool and use some patches, or use a combination of PCAPDroid (without TLS decryption) and System Informer.

Retrieved from "https://wiki.archiveteam.org/index.php?title=Android_Applications/https&oldid=60328"