Intercept SSL traffic to perform penetration testing on Android apps using Charles Debug Proxy Mayank Grover Follow Apr 10 · 7 min read

As cybersecurity incidents are increasing at a very high rate, it’s important to know how to pen-test your applications before they go into production.

Whenever you want to pen-test a specific application, the very first step is to intercept its endpoints through which the app is performing data in-out operations.

These endpoints are usually API endpoints, which consist of request url, request type, request headers, request body, and a response in the form of JSON, XML, etc.

Interception is a process in which you could actually capture the traffic (requests) at a network level while they are communicating between your device and application server.

Interception basically works the same as a man-in-the-middle attack; however, in this case, it’s an entirely legitimate way wherein you capture your own network requests and observe different parameters involved.

Now intercepting network traffic for any non-HTTPS url is quite simple; you just need to configure a tool like Charles or burp and set it up as a proxy for your android device.

The method allows you to automatically route complete traffic of an android device through a computer, running Charles or burp, connected to the same network.

However, when an SSL/TLS certificate is configured for application API endpoints, it becomes challenging to intercept the network traffic in plaintext because SSL encrypts the request and response.

In this guide, we will focus entirely on how to intercept and decrypt SSL/TLS traffic for an app running on the Android phone using Charles debug proxy as a MITM tool.

While there are majorly 2 methods/tricks to achieve this:

Decoding the Android APK file & editing its manifest file to enable debugging and then re-compile it. Though it seems simple, the method may not work for every app, especially when there is any security check implemented. Generate a custom CA root certificate using your MITM tool and install it on the targeted Android as a system-level trusted credential. This method works in 90% of cases but fails if an Android app has implemented SSL pinning like techniques.

In this guide, I have explained how to perform the second approach, which is a more reliable solution for intercepting SSL/HTTPS traffic.

To be noted, installing a custom CA root certificate at user-level credentials in Android OS would not allow you to intercept SSL/HTTPS network traffic.

To make the device trust your MITM tool, you need to install it as a system-level trusted credential, which is quite tricky.

So, once you have set up your certificate as a system-level trusted credential, then according to standard definitions and conventions, you will be able to intercept the SSL/HTTPS URLs automatically.

To achieve this, you need to have a rooted Android device, but it can also be done on an Android OS running over an emulator software.

The first step of the process involves getting shell access to the Android as root using ADB (android debug bridge) and remounting the /system directory in the “read-write” mode, which is by default in “read-only” mode.

Next, here is a step by step guide to set up your custom CA certificate as a system-level trusted credential in an android device.

Pre-requisites:

Android Emulator with android OS version between 7–9 (Nougat-Pie)

** Please make sure while setting the emulator you use a system image of Android OS 7 (Nougat). If you use play store or google play image, you will not be able to remount the /system directory as it is prohibited in production builds. This is a very important step which is missing from many articles available on the internet.

ADB (Android debug bridge)

Charles debug proxy (MITM tool)

Please have a look at the following screenshot to understand better which Android image needs to be selected while creating emulator. It should always be system image and not Google Play or Google store image (They are meant for production only). The reason for not choosing these android images is simple because they won’t allow you to remount your /system directory of android OS in a “read-write” mode

set up android emulator with android nougat system image

Please visit the following link, if you are not sure on how to set up an Android emulator using Android studio.