v1.

MODULE 9

eLearnSecurity © 2014
2
9. Android Network Analysis

HOME PARENT REFERENCES VIDEO

 3
9. Android Network Analysis

In this section, we will take a look at how to

configure Android emulated and physical devices to
intercept their network traffic. As you will no doubt
see, depending on the device you want to monitor,
different tools and configurations will be necessary.

HOME PARENT REFERENCES VIDEO

4
9.1. Traffic Sniffing

HOME PARENT REFERENCES VIDEO

 5
9.1. Traffic Sniffing

In order to sniff the device traffic, we can try a few

different techniques which will vary based on the
device we are testing (emulator vs. physical
device). For an emulated device, sniffing the traffic
is simple. Since the device is running on our
machine and it uses our host interface, we can
simply run any sniffing tool to intercept the traffic.

HOME PARENT REFERENCES VIDEO

 6
9.1. Traffic Sniffing

Here, for example, by setting up Wireshark on our

primary interface we are able to sniff all traffic the
device generates:

HOME PARENT REFERENCES VIDEO

 7
9.1. Traffic Sniffing

Sniffing the traffic on physical devices is a bit more

difficult. We cannot just run Wireshark; instead we
have to set up a physical network to which the
device can connect. For example, we can create an
Access Point, connect the device to it and then
analyze the traffic, or we can run a MitM attack on
the network and inspect the traffic that way.

HOME PARENT REFERENCES VIDEO

 8
9.1. Traffic Sniffing

In the following example, we create a Wi-Fi Hot

Spot to share our Internet connection. Once the
attached device generates traffic, we are easily able
to intercept and sniff it.

HOME PARENT REFERENCES VIDEO

 9
9.1. Traffic Sniffing
The following screenshot shows how easy it is to
sniff the traffic generated by a physical device by
running Wireshark on the interface that shares its
Internet connection with the device.

HOME PARENT REFERENCES VIDEO

 10
9.1. Traffic Sniffing

We can see that the physical device is requesting

the page blog.elearnsecurity.com, and it appears
to be a Desire HD running Android 4.2.2.

HOME PARENT REFERENCES VIDEO

 11
9.1. Traffic Sniffing
With this configuration, we are able to sniff any
incoming or outgoing device traffic. This means
that we are able to intercept Browser traffic, or
that of any other application.

HOME PARENT REFERENCES VIDEO

12
9.2. Proxying emulators and actual devices

HOME PARENT REFERENCES VIDEO

 13
9.2. Proxying emulators and actual devices

To use a proxy with our device, we need to set up a

proxy server that will intercept and handle the
traffic. You should note there are some limitations
depending on whether we are using a physical or
an emulated device.
First, let us try to configure the emulated device.

HOME PARENT REFERENCES VIDEO

 14
9.2. Proxying emulators and actual devices

When we run the emulator, there are loads of

different options and configurations we can set.
One option that is useful for proxying the browser
traffic is the http-proxy option. This only works for
the Browser application; other apps that do not
specify a proxy setting will not use the proxy.

HOME PARENT REFERENCES VIDEO

 15
9.2. Proxying emulators and actual devices

In order to start the emulator with the http-proxy

option, open a new command line and launch your
emulated device with the following command:
>> emulator -avd <DeviceName> -http-proxy <ip_add>:<port>

where:
• DeviceName is the name of the emulated device
• ip_add is the address of the proxy server
• port is the port where the proxy is listening

HOME PARENT REFERENCES VIDEO

 16
9.2. Proxying emulators and actual devices
Do not forget to start the proxy server before
running the command! In our case, we will use
BurpSuite to intercept the traffic, so we have to
configure Burp Proxy as below:

HOME PARENT REFERENCES VIDEO

 17
9.2. Proxying emulators and actual devices

This configuration will run the proxy on port 8080

for each interface. Note that the Running checkbox
is selected (otherwise the proxy listener will not
work). Once we have the proxy running, we can
execute the following command:

HOME PARENT REFERENCES VIDEO

 18
9.2. Proxying emulators and actual devices
WARNING

Do not use the loopback

interface for the proxy!
If it is set to 127.0.0.1 the
emulator will not use the
host machine as proxy;
the emulator will try to
use itself.

HOME PARENT REFERENCES VIDEO

 19
9.2. Proxying emulators and actual devices

With the previous

command we started
a new emulator, but in
this new emulator, all
traffic we generate
with the Browser app
will be intercepted by
BurpProxy.

HOME PARENT REFERENCES VIDEO

 20
9.2. Proxying emulators and actual devices

Note that we can also set a proxy by opening:

Settings

More (Wireless & Networks)

Mobile networks

Access Point Names

Select the access point

HOME PARENT REFERENCES VIDEO

 21
9.2. Proxying emulators and actual devices

With this configuration we are able to intercept,

modify and review browser traffic.

HOME PARENT REFERENCES VIDEO

 22
9.2. Proxying emulators and actual devices

Remember that with this

configuration, we can
inspect all Browser traffic,
but we are still unable to
intercept other
applications
communication.

HOME PARENT REFERENCES VIDEO

 23
9.2. Proxying emulators and actual devices
This happens because almost
all applications use SSL. In our
case, we do not have the
certificate installed on the
device. While the browser will
pop up an alert that lets us
view and install the certificate,
applications generally do not
allow security pop ups and the
connection will be dropped by
default.
HOME PARENT REFERENCES VIDEO
 24
9.2. Proxying emulators and actual devices

Since this is a common problem for both emulated

and physical devices, we will show you later how to
install a custom certificate and configure your proxy
to intercept and inspect SSL (and application)
traffic.

HOME PARENT REFERENCES VIDEO

 25
9.2. Proxying emulators and actual devices

In a similar way, we can set proxy configurations for

actual physical devices. This configuration will
work in the same way as the http-proxy.
In order to set the proxy options, open Settings ->
Wi-Fi. Long-press your Wi-Fi network and select
Modify Network. Once there, select the checkbox
‘Show advanced options’ and enter the proxy
configuration.

HOME PARENT REFERENCES VIDEO

 26
9.2. Proxying emulators and actual devices

In our case the proxy

server is still Burp Suite,
and it is set to listen to
all interfaces on port
8080.

HOME PARENT REFERENCES VIDEO

 27
9.2. Proxying emulators and actual devices
As we can see in the following screenshot, we are
able to intercept traffic generated by the Browser
app.

HOME PARENT REFERENCES VIDEO

 28
9.2. Proxying emulators and actual devices

Once again, none of

the traffic generated
by applications will
be intercepted and
the Browser app still
asks us to install a
certificate for HTTPS
traffic.

HOME PARENT REFERENCES VIDEO

29
9.3. Intercept Applications and SSL traffic

HOME PARENT REFERENCES VIDEO

 30
9.3. Intercept Applications and SSL traffic

We are, of course, unable to intercept application

traffic (SSL traffic is dropped if there is not a valid
certificate on our device).
What we need to do is: create a certificate, install it
to the device and then configure our proxy to use
it.

Note: the following process works in Windows or Linux

HOME PARENT REFERENCES VIDEO

 31
9.3. Intercept Applications and SSL traffic

Beginning with Android ICS (Ice

Cream Sandwich), we can install
user certificates to devices
quickly. We just have to copy
the certificate file to the SD card
and then install it using the
feature: Settings-> Security->
Install from SD card.

HOME PARENT REFERENCES VIDEO

 32
9.3. Intercept Applications and SSL traffic

The same certificate must be used by our proxy if

we want to successfully intercept and decrypt the
traffic.
The easiest way to do this is to use the OWASP
open source proxy ZAP (Zed Attack Proxy).

HOME PARENT REFERENCES VIDEO

 33
9.3. Intercept Applications and SSL traffic

When we run ZAP for the first time, we will be

prompted with a dialog that asks if we want to
generate a root CA
certificate. By clicking
Generate we will be
prompted with the
following window:

HOME PARENT REFERENCES VIDEO

34
9.3. Intercept Applications and SSL traffic

Click Generate and then Save. This allows us to

export the certificate
that we are going to
install on the device.

HOME PARENT REFERENCES VIDEO

 35
9.3. Intercept Applications and SSL traffic
Now that a custom certificate has been created
(ZAP will use it for SSL connections), we can copy it
to the device SD card. (If we are using an emulator
as our target, we can put it on the SD card by
running the following command: )

HOME PARENT REFERENCES VIDEO

 36
9.3. Intercept Applications and SSL traffic
Now that the certificate has been stored on the
device, we can open Settings and install it.

HOME PARENT REFERENCES VIDEO

 37
9.3. Intercept Applications and SSL traffic

The last step is to configure the proxy address on

ZAP and the emulator. To edit the ZAP address,
open Tools in the
top menu,
select Options
and then Local
Proxy.

HOME PARENT REFERENCES VIDEO

 38
9.3. Intercept Applications and SSL traffic

After that, we have to

configure the proxy
settings on the emulated
device (or run the
emulator with the http-
option).

HOME PARENT REFERENCES VIDEO

 39
9.3. Intercept Applications and SSL traffic

As we can see in the following screenshots, with

these settings, we are now able to open and
navigate HTTPS
websites without
showing a
pop-up about the
certificate:

HOME PARENT REFERENCES VIDEO

 40
9.3. Intercept Applications and SSL traffic
Also, and more importantly, ALL traffic will be
intercepted by ZAP:

HOME PARENT REFERENCES VIDEO

 41
9.3. Intercept Applications and SSL traffic
Note that if you want to intercept all requests and
responses in Burp proxy before being forwarded,
we can enable these two options:
• set break on all requests
• set break on all responses

HOME PARENT REFERENCES VIDEO

 42
9.3. Intercept Applications and SSL traffic

The most interesting part of these settings changes

is that we are now able to intercept all application
traffic.
You can run one of the apps that did not work
previously and verify that they are able to
communicate with the proxy sitting between the
apps and their servers.

HOME PARENT REFERENCES VIDEO

 43
9.3. Intercept Applications and SSL traffic
As we can see in the following screenshots,
applications like Dropbox and Evernote are now
working through our proxy.

HOME PARENT REFERENCES VIDEO

 44
9.3. Intercept Applications and SSL traffic
Indeed, in our proxy we can see all of the requests
and responses in cleartext:

HOME PARENT REFERENCES VIDEO

 45
9.3. Intercept Applications and SSL traffic

Now that we know how to

configure the proxy and the
emulator, let us see how to
do the same with a physical
device.
We still have to start by
copying the .crt certificate
file to the device and
installing it.

HOME PARENT REFERENCES VIDEO

 46
9.3. Intercept Applications and SSL traffic

Note that the device and the proxy must be

connected to the same Wi-Fi network.

Do not run the Proxy under a virtual machine, otherwise the certificates won’t work!

HOME PARENT REFERENCES VIDEO

 47
9.3. Intercept Applications and SSL traffic

The next step is to

configure the proxy
address and port.
Open the Wi-Fi options
and set the address info.

HOME PARENT REFERENCES VIDEO

 48
9.3. Intercept Applications and SSL traffic
Just like the emulator, now we can browse HTTP
websites and use applications as usual, while the
proxy intercepts all the traffic:

HOME PARENT REFERENCES VIDEO

 49
9.3. Intercept Applications and SSL traffic

Here is an example – we can see once again that

the proxy is intercepting all communications:

HOME PARENT REFERENCES VIDEO

50
9.3.1. Intercept with Rooted device and ProxyDroid

HOME PARENT REFERENCES VIDEO

 51
9.3.1. Intercept with Rooted device and ProxyDroid

In the upcoming slides, we will see another way to

intercept all traffic (Browser and Application) from
physical devices.
We will use the application ProxyDroid on a rooted
device, and on our machine we will configure Burp
Proxy again.

HOME PARENT REFERENCES VIDEO

 52
9.3.1. Intercept with Rooted device and ProxyDroid

The first thing to do is configure the Burp Proxy

address and port and then export its certificate. To
export the certificate, review this guide.

HOME PARENT REFERENCES VIDEO

 53
9.3.1. Intercept with Rooted device and ProxyDroid

In our case, the proxy is set to listen to the address

192.168.3.22 on port 8080.

HOME PARENT REFERENCES VIDEO

 54
9.3.1. Intercept with Rooted device and ProxyDroid

Since we want to intercept SSL traffic too, we have

to download and install the Burp Root CA
Certificate on the device.
To download the certificate, start a browser on our
machine (we are going to use Firefox), set the proxy
settings and load any HTTPS page. This will prompt
us with a page where we can inspect and export
the Burp certificate.

HOME PARENT REFERENCES VIDEO

 55
9.3.1. Intercept with Rooted device and ProxyDroid

1) Configure Firefox Proxy

Set the proxy

configuration in Firefox.
The address and the port
must be the same as the
ones set in Burp Proxy.

HOME PARENT REFERENCES VIDEO

 56
9.3.1. Intercept with Rooted device and ProxyDroid

2) Load HTTPS address

Load any HTTPS address

to get the SSL warning
dialog in Firefox.
Click on,
“I Understand the Risks”
and then,
“Add Exception”.

HOME PARENT REFERENCES VIDEO

 57
9.3.1. Intercept with Rooted device and ProxyDroid

3) View Certificate Details

In the new window,

click, “Get Certificate”
and then, “View”.

HOME PARENT REFERENCES VIDEO

 58
9.3.1. Intercept with Rooted device and ProxyDroid

4) Export the Root CA certificate

Now, switch to the

“Details” tab, select the
root element in the top
pane and then click
“Export” to save the
certificate to your
machine.

HOME PARENT REFERENCES VIDEO

 59
9.3.1. Intercept with Rooted device and ProxyDroid

Now that you have successfully exported the

certificate, you need to install it on the device. You
could send it via email, use a document-sharing
app, host it on a web server, upload it to the SD
card…there are lots of ways.
In the following slides, we uploaded the certificate
to our webserver and then navigated to the
address from our device.

HOME PARENT REFERENCES VIDEO

 60
9.3.1. Intercept with Rooted device and ProxyDroid

5) Browse/Install the certificate

When we browse to the

remote address where the
certificate has been stored,
we are prompted to select a
name before storing and
installing the certificate.

HOME PARENT REFERENCES VIDEO

 61
9.3.1. Intercept with Rooted device and ProxyDroid

6) Configure ProxyDroid

Now that the root certificate

has been installed, start
ProxyDroid and configure the
proxy address and port that
you set in Burp proxy. Leave
the Proxy Type as HTTP.

HOME PARENT REFERENCES VIDEO

 62
9.3.1. Intercept with Rooted device and ProxyDroid

7) Start the proxy

We can now start the proxy by

switching the button from off
to on.

HOME PARENT REFERENCES VIDEO

 63
9.3.1. Intercept with Rooted device and ProxyDroid
If everything has been set up correctly, we should
now be able to intercept all traffic (SSL, too) in Burp
proxy.

Note that this works for all applications.

HOME PARENT REFERENCES VIDEO

 64
9.3. Intercept Applications and SSL traffic

With these settings, you now have the ability to

perform network security tests and verify how
applications work, see what data they transmit as
well as manipulate parameters.
Of course, this will help you in your search for
possible vulnerabilities.

HOME PARENT REFERENCES VIDEO

 65
9.3. Intercept Applications and SSL traffic

Many apps are browser-based web applications.

From this point forward our tests will be very
similar to Web Application Pentests, meaning that
we can focus on attacks like Cross site scripting,
SQL injections, Session and Authentication
handling, Parameter manipulation, HTML5 attacks
and so on.

http://seclists.org/fulldisclosure/2013/Jul/223

HOME PARENT REFERENCES VIDEO

66
VIDEO: Android Network Analysis

Click on the image to open the video.

HOME PARENT REFERENCES VIDEO

67
References

HTTP-Proxy Burp Proxy

Zed Attack Proxy ProxyDroid

Burp: Installing CA WhatsApp Phishing

Certificates

HOME PARENT REFERENCES VIDEO