3. Sniffing HTTPS API Traffic on Nougat 7.0 & newer OS bypassing default OS TLS security

With Android 7.0 i.e. Nougat onward OS introduced a new security feature where O.S. doesn’t trusts user installed certificate anymore. So our conventional way of Adding HTTPS certificate to intercept API would not work. However it is possible to instruct OS to allow custom certificate for a selective application if we declare it within the app itself. Taking advantage of this we can modify our .apk file and instruct OS to accept custom certificate in order to perform Sniffing HTTPS traffic.

 


DownloadRootCapture.apk

Step-1 (Adding Proxy Details from Mobile:), Step-2 (Starting Proxy Listener within Laptop) & Step-3 (Adding SSL/TLS Certificate) are same as what we did earlier here. Additionally we now have to modify the apk, re-sign it and then we would be able to Sniff HTTPS data. So lets see next step:

 

Step-4: Extracting the .apk file using APKTool:

 

Step-5: Modifying Android Manifest XML file:

Once above extraction is done, within that folder open Android Manifest XML file in any editor. Within <application> Tag add one more attribute  android:networkSecurityConfig=”@xml/network_security_config”

 

Step-6: Create necessary File & Folder within res directory:

Within the extracted folder, you would see one res Folder, within that create one sub-folder and name it xml (if not already present).

Inside this xml folder, create a text XML file and name it network_security_config.xml. (Copy Content of network_security_config.xml from here )

 

Step-7: Recompile modified .apk file:

 

Step-8 Signing .apk file & installing:

Using apk_signer.apk (available from play store) / jarsigner / key tool you can choose the modified unsigned .apk (HTTPSCaptureNew.apk from step-7) & sign it. The output of apk_signer would be signed apk which could be installed by simply clicking on it. After installation is completed now you should be able to intercept HTTPS traffic also on newer OS like Android 7.0 / 7.1 / 8.0.

 

 

Exceptions:

  • If SSL Pinning is implemented this solution would not be able to intercept  communication. You still need SSL pinning bypass.
  • A Big note, Apktool depends upon framework.apk (used internally by the tool). In case if you download new version of Apktool, then make sure that you delete the older auto generated framework, otherwise you would get errors with failure in decompilation/recompilation.(Refer documentation OR Stackoverflow answer). Or If app uses some non-ASCII chars, app decompilation might fail. Or sometimes tool might not be able to work depending upon resources within the app, you might end up with errors. These are difficult to solve, as they would vary from scenario to scenario.

Report Errors + Bugs & Become Insider for Nestedif.com

We would like to hear you, if you find any error or misspelled phrase while reading our tutorials. By reporting mistakes through email to insider@nestedif.com you could help other peers.