Intercepting Android traffic using OWASP ZAP
Posted on: Jan 25, 2016Notice: This post is 8 years old, thus it could contain old or incorrect information.
When testing for Application Security, sometimes A PenTester need to Analyze the network connections that some Application makes, like how uses APIs, what data transfer over the Web and if it uses HTTPS!
In this Post I want to cover the Configuration of the Proxy Connection, if you don’t know how to use ZAP read the OWASP ZAP PAGE.
If you want to use Charles Proxy read Intercepting Android traffic using Charles
If you want more Deep Packet Inspection, you can:
- set your PC as WiFi Hotspot and Run Wireshark
- ARP-Poison your device and Run Wireshark
- Playing with BetterCap
Requirements
- OWASP ZAP Installed on your PC
- Genymotion/Android Emulator (if you want emulate the App)
- An Android Device
Configuring OWASP ZAP
-
Fire up ZAP Proxy, Create your Session and Contest if you want. Now export the OWASP Root Certificate.
-
Go in Tools > Options > Dynamic SSL Certificates > Save and save the Cert to a file.
When ZAP first starts up, it generates a certificate valid during one year. You can also generate a new one from the Dynamic SSL Certificates section. -
Transfer the Certificate to the Android Device with
adb push owasp_zap_root_ca.cer sdcard/
In GenyMotion you can also Drag&Drop the Cert file on the Emulator. -
On your phone, install the Certificate from Settings->WiFi->Advanced->Install Certificate, select your file and Install it.
Since the Certificate is not Trusted and we are MiTM-ing the connection, a notification will pop-up saying:Network May be monitored by an Unknown Third party
It’s ok, the Cert is working :D
Remember to remove the Cert when you finish your Proxy session -
If you are using GenyMotion ignore this step
Now we need to tell ZAP to listen from all the device in the LAN. By default ZAP listen onlocalhost:8080
so it’s visible only on our PC.
Go to Tool > Options > Local Proxy and type in your local IP address. (something like192.168.1.2
…you know)
Configuring Android
Now you have 3 choices:
- If your target App don’t follow the
HTTP_PROXY
rule on Android and you have root you can use ProxyDroid - If you don’t have an Android Device or you don’t want to Install the target App you can use GenyMotion
- If you can install your App and it follow
HTTP_PROXY
rule, or it have a Proxy settings or you target a mobile WebSite you can use the default Android proxy
Using ProxyDroid
ProxyDroid is a free and open-source app for Android.
It’s a bunch of proxy tools and iptables rules wrapped up into an app that give you a really simple way to tunnel traffic to an endpoint.
You’ll need root access to get it to work.
- Open ProxyDroid App
- Edit your Host settings to the OWASP ZAP IP
- Enable the Proxy Switch
- Grant Root Permission
Using GenyMotion
In your Genymotion Android emulator:
- Settings -> Wifi -> Press and hold your active network
- Select “Modify Network”
- Select “Show Advanced Options”
- Select “Proxy Settings -> Manual”
- Set your Proxy to:
10.0.3.2
(Genymotion’s special code for the local workstation) - Set your Port to:
8080
- Press Save
Using An Android Device
- Settings -> Wifi -> Press and hold your active network
- Select “Modify Network”
- Select “Show Advanced Options”
- Select “Proxy Settings -> Manual”
- Set your Proxy to the OWASP ZAP IP (something like)
192.168.1.2
- Set your Port to:
8080
- Press Save
Source
- Thanks Rex St John for GenyMotion configuration
- NCCGroup Post about ProxyDroid and Burp
- Intercepting traffic using a proxy on Firefox OS
Contacts
Signal: thezero.20Github: @TheZ3ro
Mastodon: @thezero@infosec.exchange
Bluesky: @Th3Zer0