Intercepting Android traffic using OWASP ZAP

When testing for Application Security, sometimes A PenTester need to Analyze the network connections that some Application makes, like how uses APIs, what data transfer over the Web and if it uses HTTPS!

In this Post I want to cover the Configuration of the Proxy Connection, if you don’t know how to use ZAP read the OWASP ZAP PAGE.

If you want to use Charles Proxy read Intercepting Android traffic using Charles

If you want more Deep Packet Inspection, you can:

• set your PC as WiFi Hotspot and Run Wireshark
• ARP-Poison your device and Run Wireshark
• Playing with BetterCap

Requirements

• OWASP ZAP Installed on your PC
• Genymotion/Android Emulator (if you want emulate the App)
• An Android Device

Step on PC will be highlighted like this
Step on Android will be highlighted like this

Configuring OWASP ZAP

1. Fire up ZAP Proxy, Create your Session and Contest if you want. Now export the OWASP Root Certificate.

2. Go in Tools > Options > Dynamic SSL Certificates > Save</span> and save the Cert to a file.
   When ZAP first starts up, it generates a certificate valid during one year. You can also generate a new one from the Dynamic SSL Certificates section.

3. Transfer the Certificate to the Android Device with adb push owasp_zap_root_ca.cer sdcard/
   In GenyMotion you can also Drag&Drop the Cert file on the Emulator.

4. Install the Certificate from Settings->WiFi->Advanced->Install Certificate, select your file and Install it.
   
   Since the Certificate is not Trusted and we are MiTM-ing the connection, a notification will pop-up saying: Network May be monitored by an Unknown Third party
   It’s ok, the Cert is working :D
   Remember to remove the Cert when you finish your Proxy session

5. If you are using GenyMotion ignore this step
   Now we need to tell ZAP to listen from all the device in the LAN. By default ZAP listen on localhost:8080 so it’s visible only on our PC.
   Go to Tool > Options > Local Proxy and type in your local IP address. (something like 192.168.1.2…you know)

Configuring Android

Now you have 3 choices:

• If your target App don’t follow the HTTP_PROXY rule on Android and you have root you can use ProxyDroid
• If you don’t have an Android Device or you don’t want to Install the target App you can use GenyMotion
• If you can install your App and it follow HTTP_PROXY rule, or it have a Proxy settings or you target a mobile WebSite you can use the default Android proxy

Using ProxyDroid

ProxyDroid is a free and open-source app for Android.
It’s a bunch of proxy tools and iptables rules wrapped up into an app that give you a really simple way to tunnel traffic to an endpoint.

You’ll need root access to get it to work.

1. Open ProxyDroid App
2. Edit your Host settings to the OWASP ZAP IP
3. Enable the Proxy Switch
4. Grant Root Permission

Using GenyMotion

In your Genymotion Android emulator:

1. Settings -> Wifi -> Press and hold your active network
2. Select “Modify Network”
3. Select “Show Advanced Options”
4. Select “Proxy Settings -> Manual”
5. Set your Proxy to: 10.0.3.2 (Genymotion’s special code for the local workstation)
6. Set your Port to: 8080
7. Press Save

Using An Android Device

1. Settings -> Wifi -> Press and hold your active network
2. Select “Modify Network”
3. Select “Show Advanced Options”
4. Select “Proxy Settings -> Manual”
5. Set your Proxy to the OWASP ZAP IP (something like) 192.168.1.2
6. Set your Port to: 8080
7. Press Save

Enjoy ;)

Source

• Thanks Rex St John for GenyMotion configuration
• NCCGroup Post about ProxyDroid and Burp
• Intercepting traffic using a proxy on Firefox OS