3

I want to audit the HTTP and HTTPS activity of apps downloaded onto my mobile device. What is the best way to do this?

I own the device, can add a root certificate, and can connect the running device using USB to a computer and run diagnostic tools.

I can also run in whatever developer mode exists to see the network IO.

makerofthings7
  • 50,090
  • 54
  • 250
  • 536
  • An easy way to get the HTTP traffic (and HTTPS traffic that you can downgrade to HTTP via SSLStrip) is a [Wifi Pinapple](https://hakshop.myshopify.com/products/wifi-pineapple). – Xander Jun 24 '14 at 18:13
  • Fiddler offers this functionality by routing the device's traffic through its HTTP proxy. – esqew Jun 24 '14 at 20:19

2 Answers2

4

The easiest way is to set an HTTP proxy. On iOS you can do this in your WiFi settings and there's a similar setting in Android.

Point the phone at an interactive proxy (probably Burp or Zap) on your laptop. This gives you an interface similar to fiddler.

To intercept HTTPS, you need to install the certificate from your proxy on the phone.

Some applications will refuse to operate like this. For example, if they use certificate pinning. There are move advanced techniques to get round this.

Community
  • 1
paj28
  • 32,736
  • 8
  • 92
  • 130
1

I've used a combination of the Charles proxy & Wireshark to monitor traffic on the iPhone.

After installing/running Charles on your computer, take note of your IP and connect your iPhone to the wireless network. Set the iPhone's wi-fi connection to connect through the proxy. Once you confirm you can access the web as expected (e.g. that Charles is working), have Wireshark start monitoring the network interface Charles is running on. With a little Wireshark-Fu, you should be able to parse out your app's traffic.

http://www.charlesproxy.com/

http://www.wireshark.org

Justin Kerr
  • 11
  • 2