Chapter 4: Traffic Analysis on Android Devices
Author: Aditya Gupta Translator: Protocol Here is the revised content with the keyword âAndroid network trafficâ integrated: In our recent analysis, we explored the complexities involved in monitoring Android network traffic. Understanding how applications communicate over networks is crucial for both developers and security researchers. Our examination revealed various tools and methodologies that can be used to capture and analyze this traffic effectively on Android devices.
In this chapter, we will study the network traffic of Android devices and analyze the traffic data of both the platform and applications. Applications often leak sensitive information in their network data, which is one of the most critical tasks in a penetration testing program. Additionally, you will frequently encounter applications that perform authentication and session management over insecure network protocols. Therefore, in this chapter, we will learn how to intercept and analyze the traffic of various applications on Android devices.
4.1 Android Traffic Interception
According to OWASP Mobile Top 10, inadequate transport layer protection is the third major threat. Imagine an application submitting a userâs login credentials to the server over HTTP. What happens if the user logs into their application while at a coffee shop or airport and someone is sniffing the network? The attacker could obtain the complete login credentials of a specific user, which could be used for malicious purposes later. Assume the application is authenticating over HTTPS, managing sessions over HTTP, and passing authentication cookies in the request. In this scenario, the attacker could also obtain these authentication cookies by intercepting the network during a man-in-the-middle attack. Using these authentication cookies, they can log in directly as the victim user into the application.
4.2 Methods of Traffic Analysis
There are two different methods for capturing and analyzing traffic in any situation. We will explore two different types of methods possible in the Android environment and how to perform them in real scenarios. Passive and active analysis are as follows:
Passive Analysis
The concept of passive analysis is to save all network information to a specific file, which is later viewed using a packet analyzer. This is how we will perform passive analysis on Android devices. We will use a specific tool to save all the information to a location on the device. After that, we will pull the file into our system and then analyze it using Wireshark or Cocoa packet analyzer. Follow these steps:
We download a pre-compiled binary for ARM from Timur Alperovichâs website. If needed, we can also download the original binary and cross-compile it (for cross-compiling your binary for Android, follow the link. The link shows cross-compiling BusyBox, but the same steps can be applied).
Once downloaded, we can verify itâs compiled for ARM by executing a command on the binary we just downloaded. For Windows users, Cygwin can be used to execute Linux commands. The output will look like the one in the screenshot shown below:
The next step is to push the binary file to a location on the device. We must also remember that we need to continue executing this file. Therefore, we will push it to a location where we can change permissions on it and execute the binary to capture traffic.
Continue by using a command to push the binary to the device. Similarly, if we need to pull content from the device, we can use another command instead.
Here, we will use another command to push it to the following location on the Android device:
Once we push the binary to the device, we need to access the device using a shell command and change the binaryâs permissions. If we try to run it, it will give us a permission error because we lack execution permissions.
To change permissions, we access using a command and grant it permissions, which means the application will have all permissions. The following screenshot shows the output result of the command mentioned above:
The final step here is to start and write the output to a file. Use flags like this to start. Refer to the description below:
During the traffic interception execution, open the mobile browser and access the vulnerable login form located here, which sends all data over HTTP using a GET request:
Log into the application here using a username and password.
We can stop the process with a service at any time (using another command). The next step is to pull the captured information from the device to our system. For this, we will use the following command:
You may also need to change the permission to pull it. Simply execute the following command in that case:
Once we have downloaded the captured network dataâs .pcap file, we can open it in Wireshark and analyze the traffic. Here, we will try to find the login request we captured. Wireshark can be downloaded from the website. Once downloaded and installed, open Wireshark and open our newly pulled file through it by following:
Once we open the file in Wireshark, we will notice an interface similar to the one shown in the screenshot below:
Wireshark is an open-source packet analyzer that helps us discover sensitive information and analyze traffic data from all network connections. Here, we are searching for the requests we made to the and inputted our login credentials.
Now, access and click. Here, we need to trace the website where we submitted our login credentials and inspect it.
Here, we can observe connections with. If we look for more information about this packet in the bottom pane, we can see the request URL containing the username and password we entered.
Thus, we successfully captured network data, stored it in a file, and then analyzed it using Wireshark. However, passive traffic capture can also be done directly.
Here, represents interfaces. In this case, it captures data from all available interfaces. Specify not to put the device in promiscuous mode (this is a mode often used during sniffing attacks and is unsuitable for the mode we are currently using). When starting the emulator using flags, we can specify this too. We also need to use a flag to specify the AVD name where traffic should be captured.
Active Analysis
The basic rule of active analysis is to make every request and response pass through an intermediary device we define. In this case, we will set up a proxy and make all requests and responses pass through that specific proxy. Additionally, we can opt to manipulate and modify packets in requests and responses to assess an applicationâs security:
To create an HTTP proxy, use the specified proxy IP and port, along with flags, to start the emulator. Since we run the emulator on the same system, we use IP and any available port. In this case, we use port 8080.
On the device, we can also access and long-press the Wi-Fi network we are connected to. Moreover, if using an actual device, the system we use for interception should be in the same network.
Once we long-press the Wi-Fi connection, we will get a screen similar to the one shown in the screenshot below. Furthermore, if you execute this exercise on a real device, the device must be in the same network as the proxy.
Upon entering the connection modification screen, please note that the proxy configuration will ask for the IP address of the device on the network and the port of the proxy system.
However, these settings only exist in the latest versions of Android from 4.0 onwards. If we need to implement a proxy on devices less than 4.0, we will have to install third-party applications like ProxyDroid available on the Play Store.
5. Once we set up the proxy on the device/emulator, proceed to start the Burp proxy to intercept traffic. The Burp proxy tab looks like this to effectively intercept traffic from browsers and applications:
6. We also need to examine invisible proxies to ensure our proxy captures non-proxy requests as well. (Readers can learn more about invisible proxies and non-proxy requests on Burpâs website.)
As seen in the screenshot above, we accessed a URL, and the request now appears on the Burp Proxy screen. Hence, we successfully intercepted all HTTP-based requests from the device and applications.
4.3 HTTPS Proxy Interception
The methods mentioned above work fine for intercepting traffic from applications and browsers over the HTTP protocol. In HTTPS, due to certificate mismatches, we will receive errors. As a result, we cannot intercept the traffic.
However, to overcome this challenge, we need to create our own certificate or use Burp/PortSwigger and install it on the device. To create our own certificate, we need to set up a proxy in Firefox (or any other browser or global proxy):
To set up a proxy in Firefox, access as shown (on Mac), then navigate to the tabs. Under the tabs, click options.
On the tab, we need to click configure proxy settings for Firefox.
Once done, accessing HTTPS websites on our systemâs browser will allow us to intercept traffic from our devices. Here, we will receive a message. Click, then.
Then click, finally click, then click to save the certificate.
Once the certificate is saved on our system, we can now push it to our device using another command.
Now, on our device, visit under the category, we can find it. Once here, note that you can install a certificate from the SD card. Click it to save a certificate with the given name, applicable to all applications and browsers, even HTTPS sites.
To confirm, return to our browser and open HTTPS sites (e.g.,). As seen in the screenshot below, we have successfully intercepted communication in this case as well:
Other Methods for Intercepting SSL Traffic
There are other methods for SSL traffic interception, as well as different methods to install certificates on a device.
One alternative method is to pull the file from the Android deviceâs location. Once pulled, we can generate a certificate using key tools and Bouncy Castle (located in the Java installation directory). If you cannot find Bouncy Castle in the Java installation directory, you may download it and place it in a known path. Afterward, we need to mount the partition as a read/write partition to push the updated certificate back to the device. However, to make such changes permanently effective, if using an emulator, weâll need to create a new one and use it.
Moreover, there are other tools available for intercepting traffic on Android devices, such as Charles Proxy and MITMProxy. I highly encourage trying them based on Burp proxy knowledge, as they offer similar usability but are more robust. When using Charles Proxy, certificates can be directly downloaded from their website.
In some penetration tests, applications may communicate with servers and receive responses. For instance, assume a user attempts to access a restricted area of the application. The application makes a request from the server on behalf of the user. However, since the user is unauthorized to view that area, the server responds using. Now, as penetration testers, we can intercept the traffic and modify the response from to. Consequently, the user can now even access unauthorized areas of the application. Examples of modifying similar responses can be found in Chapter 8, âARM Exploitation,â where weâll discuss some other vulnerabilities that traffic interception can exploit.
Within an application, a secure way to protect traffic is to have everything transmitted over HTTPS while embedding a certificate within the application. Doing this means that when the application tries to communicate with the server, it will verify if the serverâs certificate corresponds with the one present in the application. However, if someone is performing a penetration test and intercepting traffic, the new certificate, added by the penetration tester to the device (like the portswigger certificate), will not match the one present in the application. In these cases, we must reverse-engineer the application and analyze how it verifies the certificate. We may even need to modify and recompile the application.
4.4 Extracting Sensitive Files Using Packet Capture
Now letâs see how to extract sensitive files from traffic data using Wireshark. To do this, we can capture packets and load them into Wireshark for analysis.
The basic concept of extracting files from network captures is that they contain headers for specified file types (). The following steps outline how to extract any type of file from network traffic captures:
Conclusion
In this chapter, we understood various methods for conducting traffic analysis on Android devices. We also proceeded to intercept HTTP and HTTPS traffic data from applications and browsers. Additionally, we saw how to extract sensitive files from network captures.
In the next chapter, we will introduce Android forensics and use both manual methods and tools to extract sensitive information from Android devices.
https://cloud.tencent.com/developer/article/2182911
â`