Applications which uses HTTPS traffic and rely on device's trusted credentialsĪpplications like Instagram uses HTTPS to communicate with the server however they rely on the device's trusted credentials.To intercept the traffic you only have to point the wifi proxy settings of the device/emulator to the laptop where Burp/Zap proxy is running. This is the simplest Android application which you may come across. A much more detailed article can be found here > My Blog The article also contains videos which you can refer to. On pen-testing an android application you may come across four different scenarios. You are unable to intercept Facebook traffic because it uses SSL pinning.
(Of course, I can always use Wireshark, but it wouldn't be able to MiTM the requests and responsees the way ZAP or Burp does.)Īfter "Google-ing" like a madman, I finally found that Android doesn't have a support for global proxy (which works for, both browser AND apps). I haven't done a lot of pen-tests before so, I guess I lack experience. I don't understand why this is happening. However, I can browser the internet from my browser on the emulator. I can intercept the traffic from Guardian but Pocket and Facebook are unable to connect to internet (so is my app). So I installed Facebook, Pocket and Guardian (news) apps from the app store into the emulator and tried intercepting their traffic. My next line of thought was: May be this app is damaged. Still, I'm not able to intercept the traffic. So I followed some instructions here and I managed to get my ZAP's cert on my device. Of course, Android >= ICS versions have their cert names hashed using OpenSSL. So I exported the OWASP ZAP's certificate and pushed it on the android emulator. Well, may be my app uses https and I thought I had some certificate problem.
I'm able to intercept the traffic from the browser but not from the app. I installed the app on an emulator and started the emulator with a http-proxy pointing to a local port. I want to capture all the traffic from an Android app for its pen-testing.
0 kommentar(er)
