One of the most important things in android application penetration testing is “Capturing Android application’s HTTPS traffic”.
Reading HTTP traffic generated by android apps is some what easier than reading HTTPS traffic.
Recently some people asked me about “how to get Facebook for Android access token”. It can be done by intercepting SSL / HTTPS traffic from Facebook application.
So here it goes the easy way to intercept, read and modify SSL network traffic generated by android applications.
Things we need :
1) Android mobile phone.
2) WiFi Internet Connection.
3) Laptop or Desktop with Charles proxy installed.
Note : Desktop/Laptop should be connected to the same network connection where your mobile is connected. i.e. same WiFi connection.
Step 1 : Install intercepting proxy software (Charles proxy in our case)
Charles proxy is one of many good alternatives to Burp suite to perform Man in the Middle Attacks (MITM).
Download charles proxy here.
Read their documentation for any help related to installation. By default, charles proxy listens to port number 8888. Charles proxy is available for Windows, Mac and Linux users.
Step 2 : Setup WiFi proxy in your android mobile
In your android mobile, go to Settings > Wi-Fi, long press the active network connection. Select “Modify network” > Tick “Advanced options”. Change none to manual under proxy drop down menu.
Enter your computer’s local IP address (i.e. 192.168.1.100) in host, 8888 in port.
Also, note down the local IP address of your mobile shown at the top of the Modify network menu. Please note that some older versions of android do not support WiFi proxy feature.
Step 3 : Install SSL certificate in android trusted credentials
Before installing ssl certificate, we need to add our android mobile’s local network ip in charles proxy access control list. Proxy – > Access Control Settings in charles proxy.
Add the local IP we got from step 2 to the access control list.
Download charles proxy ssl certificate zip here.
Extract the certificate and copy it to your mobile’s SD storage.
In your mobile, Settings > Security > Install (certificates) from Memory / SD Card and then select the certificate file.
Step 4 : Intercept SSL / HTTPS traffic
We can now intercept all HTTP traffic. For HTTPS, we need to enable SSL proxying in the settings of charles proxy. Proxy > Proxy Settings > SSL and select “Enable SSL proxying”. Add Hostname : * and Port : * in it.
This will add all the domains and ports. You can change the wildcards as per your need.
That’s all we are done.
Charles proxy shows all the requests made from android device. Make use of breakpoints in charles proxy to modify requests and responses.
Now we can read and modify all the traffic (both http and https) generated by android applications which obey android proxy settings.
Some apps disobey android proxy settings, we need to go for rooted android device in that case.
For those who want to get the “Facebook for Android access token”, go to Facebook app in your mobile and you will be able to see the access token in Authorization header of every request sent to graph.facebook.com or api.facebook.com in charles proxy.
I hope this post would be useful. Please let me know if you have any doubts.
Also read how to find Facebook ID of your page or group or profile using our online tool!
Thank you ,, so much i really love this experimental tutorials.
i installed ssl in charlesproxy and it gets header from every website , but where i will get android facebook access token. sorry i cant find something like that
You can't intercept the SSL communication if the app uses certificate pinning (to avoid man in middle attack)
Hello, does this method still work? I tried exactly the same thing and this is what I got http://i.prntscr.com/61fc87280c824959a211b4932632bcb8.png
You need to install SSL certificate – Step 3
Isn’t there a way anymore to sniff Facebook’s Network Traffic? Always get an SSQL unknown_ca error
how to use the burp suite
it’s showing a warning for facebook ‘SSL Proxying not enabled for this host. Enable in the Proxy Menu, SSL Proxying Settings’ what can i do monitor facebook’s requests
It is because of SSL pinning. Try older versions or try Frida framework – https://www.frida.re/ to bypass certification pinning.
Did any one tried this method with Android 7/8/P(9)
Please update the method followed to intercept app traffic .. so it will be helpful. Thank You.