Wednesday, November 14, 2012

Intercepting Android Native Application


Recently, I got an opportunity to do a security hands-on on an Android native application. This application does not communicate to internet via HTTP protocol or mobile browser. The application communicates with the remote server over TCP on some XYZ port.

From my past Android experience and papers I read on internet, it was only mentioned about intercepting browser based application traffic. Some of the papers mentioned about native apps but those apps eventually communicate over HTTP protocol. Read here for traffic interception for HTTP based application.

Challenge Scenario

Native app perfectly works fine when no proxy is set-up on emulator and is connected to internet over wi-fi. The moment I change APN settings of Android emulator, application stops and throws a “Network Error” without any more details.

The Solution

Initially I wanted to capture and modify the traffic as we do for normal Android web app and apply web app security test cases. After digging into the problem for quite some time, I got my hands onto debugging of Android with tcpdump. This allowed me to create a pcap file and then conduct analysis using wireshark in a normal traffic analysis way.

The Steps

Start Android emulator using emulator.exe present in /tools/emulator.exe
Issue command:

emulator.exe avd avd_name -tcpdump apptraffic.pcap



This command will start your emulator in a new window and will dump all traffic sent and receive to a apptraffic.pcap file.

The file can then be imported to wireshark for further analysis. Here’s a screenshot:



With careful analysis of TCP packets you can detect server IP address and port. To further filter out your result and capture only for specific port use below switch:

emulator.exe avd avd_name -tcpdump apptraffic.pcap port 10004

Happy Reading!!!
Posted by at

6 comments:

  1. AnonymousMay 1, 2013 at 10:09 PM

    But did you try to intercept the request and response for a native application before? That's the challenging part of it. Could you please share the proxy setting and how to intercept the traffic in a native application?

    ReplyDelete
  2. Nilesh KapoorMay 1, 2013 at 11:36 PM

    Pls refer below links for intercepting traffic in native apps.. http://hakers.info/site/2011/08/setting-up-proxy-for-android-emulator/#more-89.

    Hope this helps.

    Thanks,
    Nilesh

    ReplyDelete
  3. AnonymousMay 2, 2013 at 8:24 PM

    Hey Nilesh, That is really useful! It works! Amazing! Thanks! Cool mate :) appreciate!

    ReplyDelete
  4. AnonymousMay 8, 2013 at 8:01 PM

    Hey Nilesh, How about iOS application? I have installed the PortSwigger CA in the ipad, configure the proxy in the ipad pointed to the Windows Machine IP address, and edit proxy listeners – enter ‘port’ as 8080, disable ‘loopback only’ and select ‘support invisible’ however, no luck still... any ideas?

    ReplyDelete
  5. Nilesh KapoorMay 11, 2013 at 11:34 PM

    Pls refer here.. http://resources.infosecinstitute.com/pentesting-iphone-applications/.. I have tested this and works for me.. Let me know in case you face any issues..

    ReplyDelete
  6. AnonymousNovember 2, 2013 at 5:14 AM

    Or you could have always used echo mirage to intercept the traffic in real time.

    ReplyDelete

Subscribe to: Post Comments (Atom)