When testing for Application Security, sometimes A PenTester need to Analyze the network connections that some Application makes, like how uses APIs, what data transfer over the Web and if it uses HTTPS!
In this Post I want to cover the Configuration of the Proxy Connection, if you don’t know how to use Charles read the Charles Website.
If you want to use OWASP ZAP read Intercepting Android traffic using OWASP ZAP
If you want more Deep Packet Inspection, you can:
- set your PC as WiFi Hotspot and Run Wireshark
- ARP-Poison your device and Run Wireshark
- Playing with BetterCap
- Charles Installed on your PC
- Genymotion/Android Emulator (if you want emulate the App)
- An Android Device
Step on PC will be highlighted like this
Step on Android will be highlighted like this
Configuring Charles Proxy
Fire up Charles Proxy.
- Now you need to install an SSL Certificate on your device
- If you want to generate your certificate, follow Generate your own CA cert for charles
and then Transfer the Certificate to the Android Device with
adb push ca_cert.pem sdcard/
In GenyMotion you can also Drag&Drop the Cert file on the Emulator.
- Otherwise you can use a Cert from Charles CA visiting this url:
- If you want to generate your certificate, follow Generate your own CA cert for charles and then Transfer the Certificate to the Android Device with
Install the Certificate from Settings->WiFi->Advanced->Install Certificate, select your file and Install it.
Since the Certificate is not Trusted and we are MiTM-ing the connection, a notification will pop-up saying:
Network May be monitored by an Unknown Third party
It’s ok, the Cert is working :D
Remember to remove the Cert when you finish your Proxy session
- If you are using GenyMotion ignore this step
Now we need to tell Charles to listen from all the device in the LAN. By default Charles listen on
localhost:8080so it’s visible only on our PC.
Go to Proxy > Access Control Settings… press the Add button, and type in your local IP address and click Ok. (something like
Please read the Configuring Android section of the OWASP ZAP Post (it’s the same)