Two Effective Ways to Intercept Android App Traffic

Patching APK with Objection vs. Manual Recompilation

May 5, 2023 by Nicolas Béguier

Are you finding it challenging to intercept Android app traffic? Since Android N, letting an APK through a proxy has become a herculean task - even rooting doesn't help.

We provide a detailed, step-by-step guide on patching an APK using Objection or manually recompiling the APK, allowing you to start analyzing app traffic effectively.

Gaining insights into an app's operations can reveal vulnerabilities and undesired actions. With the right approach, you can bypass the stringent security measures of the APK, making this an essential read for pentesters and bug bounty researchers focusing on mobile applications.

Prerequisites

Before starting, there are certain tools you'll need to install on your system:

Android Studio: You need it to use the Android emulator. Launch it and go to "Tools" > "Device Manager" and click "Create device" in the "Virtual" panel to launch the device creation wizard.
Android Tooling: Add ~/Android/Sdk/build-tools/<version>/ to your PATH.
To see a list of available devices, use this command: $ ~/Android/Sdk/emulator/emulator -list-avds
Objection: Install Objection with the following command: $ pip install objection
Burp: Finally, download and install Burp from the official website: https://portswigger.net/burp/releases/.

Option 1 : Patch the APK with Objection

To kickstart the process, start the Android emulator. This will establish a direct connection through the proxy, avoiding the modification the Wi-Fi settings of your phone. Here's the command you need to execute:

# Emulator can be found at ~/Android/Sdk/emulator/emulator, my virtual device is named Pixel_5_API_25
$ ~/Android/Sdk/emulator/emulator -avd Pixel_5_API_25 -writable-system -no-snapshot -http-proxy <your local ip>:8080

💡 If you are using a physical mobile phone, you need to configure the Proxy setting of your Wifi connection.

Next, run Burp and set it to listen on all proxy interfaces. Then, extract the CA in DER format and name it ca_burp.der.

The CA needs to be converted to PEM format if you're using Objection. You can do this using the command:

$ openssl x509 -inform DER -in ca_burp.der -out ca_burp.pem

Once converted, push the certificate to the device with these commands:

$ adb push ca_burp.pem /sdcard/

In the Android app, navigate to the files and manually add the CA from the sdcard. This step is essential, though not sufficient on its own.

Now it's time to patch the APK you want to analyze. The use of --use-aapt2 is optional but can be handy. Use this command:

$ objection -d patchapk --use-aapt2 --source base.apk

Install the app using the command:

$ adb install base.objection.apk

Launch the app and unfreeze it with this command:

$ objection explore -s 'android sslpinning disable'

With these steps, you should be able to successfully set up a MITM proxy for an Android app and start analyzing its traffic.

Option 2 : Patch the APK manually

Another option you can try to extract an app's traffic is by recompiling the APK and adding a specific network_security_config.xml file:

Use the following command to decompile the APK and keep only the resources (-s):

$ apktool d base.apk -s -o base_app

Replace or create a network_security_config.xml file:

$ vim base_app/res/xml/network_security_config.xml

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <base-config>
        <trust-anchors>
            <certificates src="@raw/ca_burp"/>
        </trust-anchors>
    </base-config>
</network-security-config>

Launch Burp and make it listen on all proxy interfaces. Extract the CA in DER format and name it ca_burp.der.

Put the ca_burp.der certificate in the res/raw/ folder:

$ ls base_app/res/raw/ca_burp.der

Enable the network_security_config file by adding it to the AndroidManifest.xml file. Ideally, add it as close as possible to the application tag:

$ vim base_app/AndroidManifest.xml

And add the following line inside the application tag:

<application android:networkSecurityConfig="@xml/network_security_config" ...>
    ...
</application>

Recompile the APK:

$ apktool b base_app/ -o base_new.apk

Optimize the APK:

$ zipalign -v 4 base_new.apk base_aligned.apk

Sign the APK. You can use your own key or the one provided by Objection (~/.local/lib/python3.10/site-packages/objection/utils/assets/objection.jks):

$ apksigner sign --ks <path>/KeyStore.jks --ks-pass pass:basil-joule-bug base_aligned.apk

Install the signed APK:

$ adb install base_aligned.apk

By following these steps, you should be able to recompile and install the APK with the required network_security_config.xml file and extract its traffic through Burp.

Conclusion

Both patching an APK with Objection and manually recompiling it provide effective means of extracting Android app traffic for analysis. While Objection offers an easier, more automated process, manual recompilation allows for more granular control and customization. By understanding and applying these methods, you can gain a deeper understanding of your Android applications' network operations, potentially identifying vulnerabilities or inefficiencies. As always, remember to use these tools responsibly and ethically.

Two Effective Ways to Intercept Android App Traffic

Prerequisites

Option 1 : Patch the APK with Objection

Option 2 : Patch the APK manually

Conclusion

If you enjoyed this story, please recommend and share to help others find it! Feel free to contact me if you have any questions.