3.1 Decrypt HTTPS/TLS
PCAPdroid has the ability to send all the TCP traffic via a SOCKS5 proxy. By connecting to mitmproxy in SOCKS5 mode it’s possible to decrypt the TLS traffic. TLS decryption can be used, for example, to inspect the plain HTTP traffic in HTTPS requests. Note: the TLS decryption is not available if root capture is enabled.
mitmproxy can be installed on a PC by following the official installation guide. Both the Android device and the PC should be connected to the same network for this to work.
Another option is to install it directly on the Android device via
termux. After installing the
termux app, open it and run the following commands:
pkg update pkg install python python3 -m pip install --upgrade pip CRYPTOGRAPHY_DONT_BUILD_RUST=1 pip install mitmproxy
Note: when installed on the Android device via termux, it’s essential to set an app filter in PCAPdroid to only capture a specific app traffic, otherwise the termux mitmproxy traffic would run in a loop, breaking the phone internet connectivity.
In order to enable the TLS decryption in PCAPdroid:
mitmproxywithout options to generate the mitm certificate. Install the certificate (usually
~/.mitmproxy/mitmproxy-ca-cert.cer) in the Android phone. It may be needed to change the extension to
.crtto install it.
- Open the PCAPdroid settings
- Toggle “Enable SOCKS5 Proxy”
- Set the IP address and port of the remote mitmproxy instance (port 8050 in this example).
- Run mitmproxy in SOCKS5 mode, e.g. via
mitmproxy --mode socks5 --listen-port 8050.
PCAPdroid will now redirect all the TCP traffic to the mitmproxy server, which will proxy the connections and decrypt the TLS traffic. The PCAP generated by PCAPdroid will still contain the encrypted traffic with the original IP destination and port. Since enabling TLS decryption has an high probability of breaking the network connections of the apps, it is advisable to use an app filter to only target a specific app at once.
3.2 Decryption after Android 7
After Android Nougat, Android apps do not trust user certificates anymore. This means that Android apps will reject the mitmproxy certificate and their connections will be broken. On a rooted device, this is easily solved by installing a system ca (see https://docs.mitmproxy.org/stable/howto-install-system-trusted-ca-android). On non-rooted devices, the most reliable way to fix the problem is to change the app configuration to trust user certificates as explained in the Android guide. If you don’t have the app source it is still possible to unpack the app and repack it with the modified configuration, see apktool.
There is also a much simpler but unreliable approach which does not require messing with the app configuration. By using the VirtualXposed app in conjuction with PCAPdroid it’s possible to trick Android into using the old security policy of pre-nougat, thus making the app accept the mitmproxy certificate. VirtualXposed is an open source virtualization app is available on F-Droid. In order to use VirtualXposed with PCAPdroid:
- Setup PCAPdroid for the TLS decryption as explained above
- Possibly set the app filter in PCAPdroid to only capture the VirtualXposed traffic
- Open VirtualXposed, select “Add App” and install the target application that you want to decrypt (use the “virtualxposed” method).
- Run the target application via VirtualXposed.
What is the trick? VirtualXposed has the target SDK version set to 23. It turns out that any app with target SDK < 24 still accepts user certificates even after Android 7! Any virtualization app with appropriate target SDK version will do the trick. It is important to keep in mind that app virtualization alters the normal environment of the app and can cause crashes. APK unpacking remains the suggested approach.
The following tips may help troubleshooting TLS decryption issues:
- If mitmproxy shows a “Client Handshake Failed” warning it means that the connections are correctly received but the target application is not accepting the mitm SSL certificate generated by mitmproxy. Ensure that the mitmproxy certificate is correctly installed and that the app accepts user certificates as explained above.
- Some apps may employ certificate pinning. In such a case, specific unpacking tools may help.
- If mitmproxy shows no output it means that the traffic does not reach the mitmproxy. Check your network settings.