I have an android(4.2) app that uses the https to talk to the webservice. I want to debug/log every https that goes out. I have fiddler and wireshark to debug them, but everything looks encrypted. can a man-in-middle attack be setup with emulator and fiddler/wireshark to decode and display the http url and its params?
debugging https from android emulator
Asked Answered
"https (...) looks encrypted". That's what it does. https crypts things so that no sniffer can read it. What you could do is setup a proxy that intercept the negociation and replaces the certificate with yours, but android would reject it as it wouldn't match the host. –
Tm
also, do you realize what you are asking? and the consequences if it were that easy? –
Tm
however, if you are looking into debugging, i assume it is your app, here are 3 options : A/ start with http only, switch to https when every thing works. B/ debug on the server side. C/ use a debugger (!) –
Tm
Fiddler has the capability to act as a Man-in-the-Middle proxy. You just have to enable the "decrypt HTTPS" option and proceed as described by Nikolay. –
Backboard
I could not do the above, as I do not have the control on that. –
Ive
You can use a MITM proxy, such as Burp. Once you install the CA certificate as trusted on the device/emulator, you will be able to decrypt SSL traffic.
Also, if you have the server private key (i.e., it is your own server), you can decrypt traffic intercepted with Wireshark if really need low-level info.
I do not have the certificate of this server, and I could not find a way to install a self-signed certificate into the android emulator. –
Ive
Same as on the device: Settings->Security->Install from storage. If you copy the Burp certificate to external storage (SD card), it will pick it up and give you the option to install. –
Trichomoniasis
The easiest option I've found is using mitmproxy. Simple steps laid out here:
I once had that very same need.
Good explanation can be found here: https://security.stackexchange.com/questions/8145/does-https-prevent-man-in-the-middle-attacks-by-proxy-server
Turns out some companies do that especially in case of mobile browsers (Opera, Nokia) - to save bandwidth they pass all the traffic through their own proxy server and compress it. What is interesting is that they also work with HTTPS-enabled sites. They install their (somewhat fake) certificate in your local trusted store and the proxy returns the compressed response signed with that fake certificate for the browser to not complain against a potential attack.
I haven't found any tool that would help in creating such a proxy so in the end (since I was in control of the webservice and the server it was running on) I enabled pure HTTP during development. That probably saved me hours of work ;)
Yes you can just use Fiddler to do so. You need to enable "Decrypt HTTPs traffic" option in Tools -> Options. Fiddler provides a CA cert for SSL communication. All you have to do is install the same on your Android device. You can get the cert by going to the following URL from the browser
http://machinesIPAddress:8888/FiddlerRoot.cer
where machinesIPAddress is the address of the machine where fiddler is running. After installing you can see the same under
Settings -> Security -> Trusted Credentials -> User Tab
I have listed down the entire procedure with screenshots. Hope that helps -
© 2022 - 2024 — McMap. All rights reserved.