1 | initial version |
The easiest way to capture and decrypt TLS traffic on Android is to use "PCAP Remote". The app act as Man-In-The-Middle by creating an local VPN connection and using its self-signed certificate. You can then download the unencrypted traffic as pcap file to open it in Wireshark for further analyzes.
Another way to see the unencrypted traffic is to use a TLS proxy like Burp or mitm. One of the advantages of those TLS proxys is, that you can see and manipulate the HTTP requests in the GUI in realtime. The big disadvantage is, that it is not really easy to add the needed self-signed certificate to the Android trusted certificate store. You will need to have root access to your phone to do so.
I think the only way to prevent that users are able to decrypt the TLS traffic and find the API endpoints of your app is, to implement HTTP public key pinning to it. Your app will then only accept the defined server certificate for TLS connections, which prevents MITM attacks.