PROGRESS
0%
Beginner Android Penetration Testing
Mission Briefing - Android's Security Model 0/1 Setting Up Your Arsenal - Building a Pentesting Lab 0/1 First Recon - Understanding the Target 0/1 Traffic Analysis 0/1 Attacking the Database - SQLite Injection 0/1 Final Challenge: Hack a Real-World Vulnerable Android App 0/1
← Beginner Android Penetration Testing

Traffic Analysis

Task 1 Traffic Analysis - The Man-in-the-Middle

Introduction

Most apps talk to a server. By sitting between the app and the internet, we can see everything it sends and receives. This is a Man-in-the-Middle (MitM) attack. We will use Burp Suite for this.

Prerequisite

  • Emulator configured with Burp Proxy (from Room 2).
  • Burp Suite running with "Invisible Proxy" enabled (Settings -> Proxy -> Options -> Edit -> Request Handling -> Support invisible proxying).

Practical Tasks

Task 1: Intercepting HTTP Traffic

  1. In Burp, go to the Proxy -> Intercept tab and ensure Intercept is OFF.
  2. Go to your emulator, open a vulnerable app like InsecureBankv2, and try to log in with any credentials.
  3. Go back to Burp. Click on the HTTP history tab.
  4. Your Mission: Find the HTTP request that contains the login attempt. It will likely be a POST request to a URL like /login. You should see the username and password in plain text!

Task 2: Intercepting and Modifying HTTPS Traffic

  1. Enable Intercept in Burp (Intercept is on).
  2. In the app, try to log in again.
  3. The request will appear in Burp. Press Forward a few times.
  4. Problem: You might get a certificate error. You need to install Burp's CA certificate on the emulator.
  5. Solution:
    • In Burp, go to Proxy -> Options -> Import / export CA certificate -> Export -> Certificate in DER format. Save as cacert.der.
    • Rename it to cacert.cer.
    • Push it to your emulator: adb push cacert.cer /sdcard/.
    • On the emulator, go to Settings -> Security -> Install from SD card. Select the certificate, name it "Burp", and choose VPN and Apps.
    • Intercepted HTTPS traffic will now work!

Task 3: Modifying a Response to Bypass a Login

  1. Find an app with a "Pro" or "Premium" feature that checks a server response.
  2. Intercept the response from the server.
  3. Your Mission: Find a parameter like "is_premium": false and change it to "is_premium": true before forwarding the response to the app.
  4. Observe if the app grants you premium access.

Summary

  • HTTP traffic is trivially intercepted.
  • HTTPS can be intercepted after installing a custom CA certificate.
  • By modifying requests and responses, you can bypass client-side checks, escalate privileges, and find injection flaws.