3.1 Decrypt HTTPS/TLS
PCAPdroid has the ability to send all the TCP traffic via a SOCKS5 proxy. By connecting to mitmproxy in SOCKS5 mode it’s possible to decrypt the TLS traffic on a remote machine. TLS decryption can be used, for example, to inspect the plain HTTP traffic in HTTPS requests.
mitmproxy can be installed by following the official installation guide. It can be run in SOCKS5 mode by using the following command:
mitmproxy --mode socks5 --listen-port 8050
For a complete list of tools and options refer to the mitmproxy documentation. Please note that, prior to v1.3.5, PCAPdroid required a customized mitmproxy to be installed and run with the
--mode tunnel option.
In order to enable the TLS decryption in PCAPdroid:
- Install the mitmproxy certificate
~/.mitmproxy/mitmproxy-ca-cert.cerin the android phone. It is usually needed to change the extension to
- Open the PCAPdroid settings
- Toggle “Enable SOCKS5 Proxy”
- Set the IP address and port of the remote mitmproxy instance (port 8050 in the example above).
Note: in order for this to work, both the phone and the linux machine should be connected to the same network.
PCAPdroid will now redirect all the TCP traffic to the mitmproxy server, which will proxy the connections and decrypt the TLS traffic. The PCAP generated by PCAPdroid will still contain the encrypted traffic with the original IP destination and port. Since enabling TLS decryption has an high probability of breaking the network connections of the apps, it is advisable to use an app filter to only target a specific app at once.
3.2 Decryption after Android 7
After android Nougat, android apps do not trust user certificates anymore. This means that android apps will reject the mitmproxy certificate and their connections will be broken. On a rooted device, this is easily solved by installing a system ca (see https://docs.mitmproxy.org/stable/howto-install-system-trusted-ca-android). On non-rooted devices, the most reliable way to fix the problem is to change the app configuration to trust user certificates as explained in the android guide. If you don’t have the app source it is still possible to unpack the app and repack it with the modified configuration, see apktool.
There is also a much simpler but unreliable approach which does not require messing with the app configuration. By using the VirtualXposed app in conjuction with PCAPdroid it’s possible to trick android into using the old security policy of pre-nougat, thus making the app accept the mitmproxy certificate. VirtualXposed is an open source virtualization app is available on F-Droid. In order to use VirtualXposed with PCAPdroid:
- Setup PCAPdroid for the TLS decryption as explained above
- Possibly set the app filter in PCAPdroid to only capture the VirtualXposed traffic
- Open VirtualXposed, select “Add App” and install the target application that you want to decrypt (use the “virtualxposed” method).
- Run the target application via VirtualXposed.
What is the trick? VirtualXposed has the target SDK version set to 23. It turns out that any app with target SDK < 24 still accepts user certificates even after android 7! Any virtualization app with appropriate target SDK version will do the trick. It is important to keep in mind that app virtualization alters the normal environment of the app and can cause crashes. APK unpacking remains the suggested approach.
The following tips may help troubleshooting TLS decryption issues:
- If mitmproxy shows a “Client Handshake Failed” warning it means that the connections are correctly received but the target application is not accepting the mitm SSL certificate generated by mitmproxy. Ensure that the mitmproxy certificate is correctly installed and that the app accepts user certificates as explained above.
- Some apps may employ certificate pinning. In such a case, specific unpacking tools may help.
- If mitmproxy shows no output it means that the traffic does not reach the mitmproxy. Check your network settings.