Recently, I got an opportunity to do a security hands-on on an Android native application. This application does not
communicate to internet via HTTP protocol or mobile browser. The application
communicates with the remote server over TCP on some XYZ port.
From my past Android experience and papers
I read on internet, it was only mentioned about intercepting browser based
application traffic. Some of the papers mentioned about native apps but those
apps eventually communicate over HTTP protocol. Read here for traffic
interception for HTTP based application.
Challenge Scenario
Native app perfectly works fine when no
proxy is set-up on emulator and is connected to internet over wi-fi. The moment
I change APN settings of Android emulator, application stops and throws a
“Network Error” without any more details.
The Solution
Initially I wanted to capture and modify the
traffic as we do for normal Android web app and apply web app security test
cases. After digging into the problem for quite some time, I got my hands onto debugging
of Android with tcpdump. This allowed me to create a pcap file and then conduct
analysis using wireshark in a normal traffic analysis way.
The Steps
Start Android emulator using emulator.exe
present in /tools/emulator.exe
Issue command:
emulator.exe avd avd_name -tcpdump
apptraffic.pcap
This command will start your emulator in a
new window and will dump all traffic sent and receive to a apptraffic.pcap
file.
The file can then be imported to wireshark
for further analysis. Here’s a screenshot:
With careful analysis of TCP packets you
can detect server IP address and port. To further filter out your result and
capture only for specific port use below switch:
emulator.exe avd avd_name -tcpdump
apptraffic.pcap port 10004
