Intercepting Android traffic using OWASP ZAP

Posted on: Jan 25, 2016

Notice: This post is 8 years old, thus it could contain old or incorrect information.

When testing for Application Security, sometimes A PenTester need to Analyze the network connections that some Application makes, like how uses APIs, what data transfer over the Web and if it uses HTTPS!

In this Post I want to cover the Configuration of the Proxy Connection, if you don’t know how to use ZAP read the OWASP ZAP PAGE.

If you want to use Charles Proxy read Intercepting Android traffic using Charles

If you want more Deep Packet Inspection, you can:

Requirements

Configuring OWASP ZAP

  1. Fire up ZAP Proxy, Create your Session and Contest if you want. Now export the OWASP Root Certificate.

  2. Go in Tools > Options > Dynamic SSL Certificates > Save and save the Cert to a file.
    When ZAP first starts up, it generates a certificate valid during one year. You can also generate a new one from the Dynamic SSL Certificates section.

  3. Transfer the Certificate to the Android Device with adb push owasp_zap_root_ca.cer sdcard/
    In GenyMotion you can also Drag&Drop the Cert file on the Emulator.

  4. On your phone, install the Certificate from Settings->WiFi->Advanced->Install Certificate, select your file and Install it.

    Since the Certificate is not Trusted and we are MiTM-ing the connection, a notification will pop-up saying: Network May be monitored by an Unknown Third party
    It’s ok, the Cert is working :D
    Remember to remove the Cert when you finish your Proxy session

  5. If you are using GenyMotion ignore this step
    Now we need to tell ZAP to listen from all the device in the LAN. By default ZAP listen on localhost:8080 so it’s visible only on our PC.
    Go to Tool > Options > Local Proxy and type in your local IP address. (something like 192.168.1.2…you know)

Configuring Android

Now you have 3 choices:

Using ProxyDroid

ProxyDroid is a free and open-source app for Android.
It’s a bunch of proxy tools and iptables rules wrapped up into an app that give you a really simple way to tunnel traffic to an endpoint.

You’ll need root access to get it to work.

  1. Open ProxyDroid App
  2. Edit your Host settings to the OWASP ZAP IP
  3. Enable the Proxy Switch
  4. Grant Root Permission

Using GenyMotion

In your Genymotion Android emulator:

  1. Settings -> Wifi -> Press and hold your active network
  2. Select “Modify Network”
  3. Select “Show Advanced Options”
  4. Select “Proxy Settings -> Manual”
  5. Set your Proxy to: 10.0.3.2 (Genymotion’s special code for the local workstation)
  6. Set your Port to: 8080
  7. Press Save

Using An Android Device

  1. Settings -> Wifi -> Press and hold your active network
  2. Select “Modify Network”
  3. Select “Show Advanced Options”
  4. Select “Proxy Settings -> Manual”
  5. Set your Proxy to the OWASP ZAP IP (something like) 192.168.1.2
  6. Set your Port to: 8080
  7. Press Save

Source

Contacts

Signal: thezero.20
Github: @TheZ3ro
Mastodon: @thezero@infosec.exchange
Bluesky: @Th3Zer0