Ask Your Question

How can I capture API endpoints sent to HTTPS from an Android App?

asked 2021-07-10 17:29:45 +0000

SirLouen gravatar image

I'm developing an app and want to test if users could be capturing HTTPS based API endpoints from my app by using Wireshark monitoring.

I know how to capture some HTTP traffic from my wireless network in my PC from the phone, buy I won't be able to decrypt the HTTPS traffic coming from the Android phone in case it's encrypted via HTTPS. Furthermore, if I'm not wrong, I understand that in the header of the HTTPS packets, I might find the endpoint URL that it's being queried and maybe in the body, I might find the info is being sent to that endpoint.

How can I work around this issue?

PS: I'm not 100% into Wireshark yet, please answer me in a simple form

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2021-07-25 12:50:39 +0000

JasMan gravatar image

The easiest way to capture and decrypt TLS traffic on Android is to use "PCAP Remote". The app act as Man-In-The-Middle by creating an local VPN connection and using its self-signed certificate. You can then download the unencrypted traffic as pcap file to open it in Wireshark for further analyzes.

Another way to see the unencrypted traffic is to use a TLS proxy like Burp or mitm. One of the advantages of those TLS proxys is, that you can see and manipulate the HTTP requests in the GUI in realtime. The big disadvantage is, that it is not really easy to add the needed self-signed certificate to the Android trusted certificate store. You will need to have root access to your phone to do so.

I think the only way to prevent that users are able to decrypt the TLS traffic and find the API endpoints of your app is, to implement HTTP public key pinning to it. Your app will then only accept the defined server certificate for TLS connections, which prevents MITM attacks.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2021-07-10 17:29:45 +0000

Seen: 7,770 times

Last updated: Jul 25 '21