This guide shows how to setup an Android VM in order to intercept all HTTPS requests. This was originally intended to reverse PlayServices but should work with any app that does not use certificate pinning (i.e. every app that relies on the system certificate authorities).
Inspired by this guide how to install Android x86 in VirtualBox, this guide how to install a system certificate on Android and this guide how to use mitmproxy with VirtualBox.
-
Download a recent Android x86 ISO from here.
-
Download a recent Kali Linux VirtualBox Image from here. (You can also use an other distribution, but Kali comes pre-installed with the tools we need)
-
Install VirtualBox and create a new VM:
-
Set Type to
Linux
and Version toLinux 2.6 / 3.x / 4.x (64-bit)
(Linux 2.6 / 3.x / 4.x (2-bit)
if you are using a 32-bit image). -
Select a reasonable amount of RAM (e.g. 3GB) and create a disk with enough space (e.g. 8GB).
-
Open the settings of your newly created VM.
-
Under
System
>Processor
increase the number of CPUs to at least 2. -
Under
Display
>Screen
set the Graphics Controller toVBoxVGA
. (You may also increase the Video Memory) -
Under
Network
>Adapter 1
select Attached toInternal Network
and enter a Name for the internal network (e.g.android
).
-
-
Start the VM and install Android:
-
Select the android image you downloaded as your start-up disk
-
Choose
Installation
. (Live CD
won't work for this tutorial as you cannot add a root certificate) -
Select
Create/Modify partitions
. -
If you are asked if you want to use GPT, choose
No
. -
Create a new partition by selecting
New
thenPrimary
and confirm the default size. -
Select
Bootable
to mark the partition as bootable. -
Select
Write
to save the partition table thenQuit
the partitioning tool. -
Choose the newly created partition to install to.
-
Choose
ext4
as filesystem and confirm withYes
. -
Confirm installing the bootloader with
Yes
. -
Install the /system directory as read-write by choosing
Yes
. -
Reboot or start android. Make sure to disconnect the installation image.
-
-
Setup the VM for Kali Linux:
-
Import the Kali Linux OVA file (or your distribution of choice) into VirtualBox.
-
Open the settings of the imported VM and go to
Network
. -
Under
Adapter 1
choose attached toNAT
. (Should be the default) -
Under
Adapter 2
checkEnable Network Adapter
and enter the same options as on the Android VM (e.g. Attached to:Internal Network
and Name:android
). -
Start the VM and login with username
root
and passwordtoor
. -
Install adb by running
apt install adb
from command line. -
If you are not using Kali you may have to install
dnsmasq
andmitmproxy
, too.
-
-
Setup network forwarding in the Kali VM:
-
Run
nm-connection-editor
from command line. -
Click on the
+
at the bottom to add a connection and chooseEthernet
as type. -
In the
Ethernet
tab set Device toeth1
. -
In the
IPv4 Settings
tab selectShared to other computers
as Method. -
Click
Save
and close the connection editor.
-
-
Connect the Android VM:
-
Click
Start
, thenSee all Wi-Fi networks
and select theVirtWifi
network. -
Once connected click the back arrow. You will be at the Wi-Fi selection screen again, where you can see the IP address.
-
Inside the Kali VM connect adb with
adb connect <IP>
.
-
-
Install the SSL certificate in the Android VM:
-
Run
mitmproxy
from command line and then quit it withq
. This will generate a root certificate under~/.mitmproxy/
. -
Calculate the hash of the certificate with
openssl x509 -in .mitmproxy/mitmproxy-ca.pem -subject_hash_old -noout
to use in the following commands. (This is most likelyc8750f0d
for this certificate) -
Convert it to the Android format:
cp .mitmproxy/mitmproxy-ca.pem c8750f0d.0 openssl x509 -text -in .mitmproxy/mitmproxy-ca.pem -text -noout >>c8750f0d.0
-
Copy the certificate to Android with
adb push c8750f0d.0 /data/local/tmp
. -
Install it in the system and reboot:
adb shell su mv /data/local/tmp/c8750f0d.0 /system/etc/security/cacerts/ chown root:root /system/etc/security/cacerts/c8750f0d.0 chmod 644 /system/etc/security/cacerts/c8750f0d.0 reboot
-
-
Setup transparent proxying rules in iptables so every connection is forwarded to mitmproxy (you may need to adapt the interface name on other distributions):
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j REDIRECT --to-port 8080
-
Run
mitmproxy --mode transparent -w <name>.dump
to open an interactive session as well as write save the session into a dumpfile. -
You should now see every request made from the android device.
Perfect !