4

I'm using an Android Emulator on my PC, then logging into some apps (while running WireShark), and now I'm trying to figure out how to decrypt the SSL traffic.

I understand that I need to find some sort of key to throw into WireShark, but I am unable to figure out how to find that on the Android OS, or if it's even possible.

Any ideas?

user3276588
  • 41
  • 1
  • 1
  • 3
  • *I have tried some other options...* As you can see, there are many questions and answers about this topic already. If you have problems applying a specific solution please don't ask another question on what ways of intercepting exist but instead describe what you tried and where exactly your problems were. – Steffen Ullrich May 25 '17 at 18:11
  • Sorry, not sure what you mean. I never asked questions about intercepting. I asked about how I can find the SSL key(s) on my Android device. I'll edit out the bottom part of my post so there is no confusion. – user3276588 May 25 '17 at 18:27
  • I think your confusion is that in TLS, it's the _server's_ key that you need, not the client's. You either need to extract the key from the server that the Android device is talking to (if you control the server), or set up an interceptor / proxy so that as far as the Android device is concerned, _you are the server_. – Mike Ounsworth Sep 23 '17 at 03:22

3 Answers3

2

If your aim is to analyze HTTP and HTTPS traffic only , then you can use any http intercepting proxy server such as Burp Suite or Squid .

Method :-

First of all change network settings on android to use Burp Suite as a proxy server . Then generate a self signed certificate either using Burp Suite or Openssl and install that certificate in your android device . ( If you are generating certificate using Openssl then configure Burp Suite accordingly . ) Now configure your network properly and open ports for proxy server .

Note:-

As some of the android applications use another protocols such as XMPP to communicate to the server . So for XMPP this method wouldn't work and you have to rely on wireshark to analyze that particular traffic .

Hint :-

You can use proxy server and Wireshark both at same time to increase productivity .

Mohit Rajain
  • 21
  • 3
1

Is the server in which the app communicating with yours? If so can you export a copy of the certificate from their and import into wireshark?

If it's not yours then you don't have the private key to decrypt the traffic. You might be able to proxy the app so as to allow you too break the TLS connection- but it sounds like you tried the man in the middle approach already.

Remember the whole point of SSL/TLS is to stop interception of traffic so without the original keys it's not possible to 'see' into the unbroken communications channel.

ISMSDEV
  • 3,272
  • 12
  • 22
  • Nope, the server is not mine. I guess I was under the impression that there was some sort of other key aside from the private one... maybe created based on the private one originally. Like a public key? I'm not sure. OR - Maybe it's not even a key at all? Like when looking in WireShark I see a bunch of options like a "pre-master secret log" and "SSL Debug file" in addition to the RSA key list. It sounds like using Windows that Chrome creates a SSLKEYLOG file that you can import into WireShark to decrypt stuff. But I guess that's not available on Android? – user3276588 May 25 '17 at 17:47
  • If the server is not yours, you probably don't have the private key without which you can't use wireshark to decrypt the content. The point I wanted to add here is that, even if you have the private key you can't use it with wireshark if the cipher suite being used is DHE or ECDHE. [Reason](http://www.joji.me/en-us/blog/walkthrough-decrypt-ssl-tls-traffic-https-and-http2-in-wireshark#disable-the-diffie-hellman-cipher): > The session key is transferred encrypted with a dynamically generated > key pair (instead of encrypted with the public key from the > certificate) if the SSL session is using – psykid Sep 17 '18 at 22:16
1

... or if it's even possible.

There is no general way to get to the master keys for a TLS connection of an arbitrary application in Android OS. There might be application or library specific ways to get the key and there are other ways to intercept the TLS traffic. Google has lots of hits about this topic.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424