MITM HTTPS traffic from android App.

28 May, 2020

Since Android 9 Nougat, Android decide to prevent users from using the user's installed certificate on any app without app developer intention. So capture HTTPS traffic for analysis from any app would be harder. I wanna try to see want happen inside an app and I found a nice solution to finish the task

• Get the Android app APK from some source and make sure you get the real one. I'm using APK from ApkPure.
• Install Apktool on your PC.
• Decode the APK apktool d application.apk -f
• Create new file at res/xml/network_security_config.xml and put the content as below:

<network-security-config>
 <base-config>
   <trust-anchors>
     <certificates src="system" />
     <certificates src="user" />
   </trust-anchors>
 </base-config>
</network-security-config>

• Edit file AndroidManifest.xml by adding line android:networkSecurityConfig="@xml/network_security_config in application tag like this -> <application … android:networkSecurityConfig="@xml/network_security_config">
• Repack the apk apktool b -f output file will be in dist directory.
• Create a key to sign the new APK keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000
• Self sign the APK jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore application.apk alias_name
• Install the APK on your device.
• Install and start mitmproxy on your PC.
• Set your WiFi proxy on your android device to mitmproxy's IP address and port 8080.
• Go to mitm.it from your android web browser then download and install a certificate.
• Open the app that you installed from the new proxy able APK.
• Now you can see the app traffic on your PC.