View on GitHub

PCAPdroid

User Guide

3.1 Decrypt HTTPS/TLS

PCAPdroid has the ability to send all the TCP traffic via a SOCKS5 proxy. By connecting to mitmproxy in SOCKS5 mode it’s possible to decrypt the TLS traffic on a remote machine. TLS decryption can be used, for example, to inspect the plain HTTP traffic in HTTPS requests.

mitmproxy can be installed by following the official installation guide. It can be run in SOCKS5 mode by using the following command:

mitmproxy --mode socks5 --listen-port 8050

For a complete list of tools and options refer to the mitmproxy documentation. Please note that, prior to v1.3.5, PCAPdroid required a customized mitmproxy to be installed and run with the --mode tunnel option.

In order to enable the TLS decryption in PCAPdroid:

  1. Install the mitmproxy certificate ~/.mitmproxy/mitmproxy-ca-cert.cer in the android phone. It is usually needed to change the extension to .crt.
  2. Open the PCAPdroid settings
  3. Toggle “Enable SOCKS5 Proxy”
  4. Set the IP address and port of the remote mitmproxy instance (port 8050 in the example above).

Note: in order for this to work, both the phone and the linux machine should be connected to the same network.

PCAPdroid will now redirect all the TCP traffic to the mitmproxy server, which will proxy the connections and decrypt the TLS traffic. The PCAP generated by PCAPdroid will still contain the encrypted traffic with the original IP destination and port. Since enabling TLS decryption has an high probability of breaking the network connections of the apps, it is advisable to use an app filter to only target a specific app at once.

3.2 Decryption after Android 7

After android Nougat, android apps do not trust user certificates anymore. This means that android apps will reject the mitmproxy certificate and their connections will be broken. On a rooted device, this is easily solved by installing a system ca (see https://docs.mitmproxy.org/stable/howto-install-system-trusted-ca-android). On non-rooted devices, the most reliable way to fix the problem is to change the app configuration to trust user certificates as explained in the android guide. If you don’t have the app source it is still possible to unpack the app and repack it with the modified configuration, see apktool.

There is also a much simpler but unreliable approach which does not require messing with the app configuration. By using the VirtualXposed app in conjuction with PCAPdroid it’s possible to trick android into using the old security policy of pre-nougat, thus making the app accept the mitmproxy certificate. VirtualXposed is an open source virtualization app is available on F-Droid. In order to use VirtualXposed with PCAPdroid:

  1. Setup PCAPdroid for the TLS decryption as explained above
  2. Possibly set the app filter in PCAPdroid to only capture the VirtualXposed traffic
  3. Open VirtualXposed, select “Add App” and install the target application that you want to decrypt (use the “virtualxposed” method).
  4. Run the target application via VirtualXposed.

What is the trick? VirtualXposed has the target SDK version set to 23. It turns out that any app with target SDK < 24 still accepts user certificates even after android 7! Any virtualization app with appropriate target SDK version will do the trick. It is important to keep in mind that app virtualization alters the normal environment of the app and can cause crashes. APK unpacking remains the suggested approach.

3.3 Troubleshooting

The following tips may help troubleshooting TLS decryption issues: