How to decrypt encrypted network traffic from Android (personal devices)
What is this
- Apps communicate with their servers using encrypted APIs. If we need to reverse engineer what the app is sending, we need to place a certificate in the middle, creating a PITM attack.
Uses
- To get app tokens to scrape data
Procedure
- We need to proxy the traffic through a device like our PC through which we can view it
- A rooted phone with a traffic viewer would be good enough
- We need to add a CA Certificate generated by the traffic viewer as trusted to allow the traffic viewer to decrypt the TLS stream
Considerations
-
From Android 11 onwards, apps won't trust certificates with a procedure known as Certificate Pinning, unless the developer has chosen to explicitly allow user certificates (to use custom WireGuard or OpenVPN servers for example)
- Solutions
- Either patch the APK to add the certificate to the certificate pinning code
- Or add the certificate as a system level trusted certificate
- System level certificates are set by the Android Source Code here.
- Further considerations
- The app may also choose to set custom CA certificates for specific domains (e.g. their servers). But this doesn't seem common as system wide trusted CAs generally include all the popular CAs for websites.
- Solutions
-
Or if we are using older Android versions, perhaps the APK won't have Certificate Pinning?
- Android 7.0 (SDK 24) introduced Network Security Configurations which allows apps to define their own network rules declaratively.
- Below Android 7.0 we had to rely on third party libraries like TrustKit Android Library to achieve that.
- Prior to SDK 24, we did not have declarative Network Security configurations and we had to do it programmatically.
- Below SDK 24, the default configuration allowed Clear Text Traffic and trusted both System and User trusted certificates.
- From SDK 24 to SDK 27 (Android 8.1), the default configuration allowed Clear Text Traffic and trusted only the System trusted certificates.
- From SDK 28 (Android 9.0) onwards, the default configuration disabled Clear Text Traffic and trusted only the System trusted certificates.
-
Apps built with the Android 11 Target SDK will have the Certificate Pinning and implicit disabling of User trusted certificates set for all runtimes above SDK 24.
- From Android 11 onwards, User trusted certificates can only be installed from the Setting app, and not by any other user action or debugging tool.
Resources
- https://medium.com/@roy2477/decrypting-android-app-ssl-traffic-c480e2143743
- https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/
- https://httptoolkit.com/blog/android-11-trust-ca-certificates/
- https://medium.com/@shaddy43/revenge-reverse-engineering-android-apps-to-bypass-ssl-pinning-for-mobile-app-pen-testing-eeef2ce22682