# Intercepting Android App Traffic

***

## 🌐 Resources 🔗

> * [Genymotion](https://www.genymotion.com/download/)
> * [Frida](https://frida.re/)
> * [OWASP SSL Certificate and Public Key Pinning](https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning)
> * Extra video - [Getting Started with Android App Testing with Genymotion - InsiderPhD](https://www.youtube.com/watch?v=_HRpLPrlg1U)

***

## Bypass certificate pinning with Frida

I've used my KaliVM and this instructions to follow IppSec's video and get everything working as he described.

> 🔗 [Intercepting Android App Traffic with BurpSuite](https://www.youtube.com/watch?v=xp8ufidc514) - by [IppSec](https://ippsec.rocks/)
>
> **Video Timeline**
>
> ```
> 00:00 - Introduction, talking about RouterSpace and why we can't just do what we did in that video
> 01:25 - Installing Genymotion, Virtual Box, and ADB; while talking about why I don't use Android Studio/AVD. Simply because genymotion just works.
> 02:05 - Make sure you upgrade your memory, processors, and enable Virtualization in your VM Settings!
> 02:30 - Running Genymotion and starting a Pixel 3 XL
> 03:37 - Converting BurpSuites Certificate to PEM Format with openssl x509 -inform der -in [name of cert] -out burp.pem
> 04:20 - Renaming the certificate to 9a5ba575.0, and showing how we got that name
> 06:00 - Starting the device and showing the certificate authorities
> 07:00 - Copying the certificate to /system/etc/security/cacerts/, and showing how to remount to rw
> 08:10 - Showing how to set the proxy through both the GUI and via ADB
> 09:50 - Installing GAPPS
> 10:30 - Showing how to unset the proxy from ADB
> 11:00 - Creating an alias to set and unset the proxy via adb
> 12:00 - Opening the google play store and logging in and install Wayzn to see if we can intercept traffic
> 15:20 - Showing we intercepted traffic from Wayzn, then installing Instagram
> 16:50 - Attempting to login to instagram and getting an error message
> 17:20 - Setting up Frida both on our computer and android device
> 19:20 - Showing Frida is working, getting ps output from the android device
> 19:55 - Downloading the instragram ssl pinning bypass script
> 21:20 - Using frida to start instagram and loading the script to bypass the SSL Checking
> 22:15 - Setting the proxy and showing us intercept instagram traffic
> ```

```bash
sudo apt install -y virtualbox adb
sudo wget https://dl.genymotion.com/releases/genymotion-3.5.1/genymotion-3.5.1-linux_x64.bin -O /tmp/genymotion.bin

sudo chmod +x genymotion.bin
sudo ./genymotion.bin

cd /opt/genymobile/genymotion
./genymotion
```

* Open Genymotion Settings and setup Hypervisor to **Virtualbox**
* Install a new Google Pixel 3 XL device
* Run Burpsuite and copy its certificate

```bash
cd
curl localhost:8080/cert -o cert.der
sudo mv cert.der /usr/share/ca-certificates/BurpSuiteCA.der

openssl x509 -inform der -in /usr/share/ca-certificates/BurpSuiteCA.der -out burp.pem
openssl x509 -inform PEM -subject_hash_old -in burp.pem
mv burp.pem 9a5ba575.0 	# Output from above
```

* Copy cert to device

```bash
adb devices -l
adb shell
su
mount -o remount,rw /
exit
exit

adb push 9a5ba575.0 /system/etc/security/cacerts/
```

![](https://1099202751-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEhofjMfYbx3gOUSReXD7%2Fuploads%2Fgit-blob-8549200246da8bd2d7d5f791d73baf59aa029cd3%2F2023-07-02_17-21-49_134.png?alt=media)

* To start capturing traffic with BurpSuite, set the proxy listener to `All interfaces`

![](https://1099202751-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEhofjMfYbx3gOUSReXD7%2Fuploads%2Fgit-blob-e72912c75459da6b90f5d39e422efa284fd07e50%2F2023-07-02_17-25-13_135.png?alt=media)

* Set the proxy usage on the device, with the KaliVM IP

```bash
adb shell settings put global http_proxy 192.168.31.128:8080

# Create an alias for set and unset proxy
alias adb_set_proxy="adb shell settings put global http_proxy $(ip -o -4 addr show eth1 | awk '{print $4}' | sed 's/\/.*//g'):8080"

alias adb_unset_proxy="adb shell settings put global http_proxy :0"
```

* From Genymotion, click OpenGAPPS to install Gapps on the device and restart the device.

```bash
# Disable proxy
adb_unset_proxy
```

* Run Play Store on the device and install apps
  * `e.g.` - Wayzn, Instagram - in this case
* Try to set the proxy, turn BurpSuite intercept on and login into the *Wayzn* app

```
adb_set_proxy
```

![](https://1099202751-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEhofjMfYbx3gOUSReXD7%2Fuploads%2Fgit-blob-e60ad811ff419201d73a408f1ae2f9726c65c171%2F2023-07-02_17-46-30_136.png?alt=media)

* Open Instagram and try to login. `Unable to log in` with proxy set.

![](https://1099202751-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEhofjMfYbx3gOUSReXD7%2Fuploads%2Fgit-blob-d7e265236e7a8fa9421d9310c675e6db8e020d43%2F2023-07-02_17-49-59_137.png?alt=media)

* Unsetting the proxy, Instagram error changes.
  * Instagram prevents from intercepting the traffic

![](https://1099202751-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEhofjMfYbx3gOUSReXD7%2Fuploads%2Fgit-blob-edb05210ad778b7cb436ba9049395c41d877561d%2F2023-07-02_17-50-46_138.png?alt=media)

* Install Frida
  * 🔗 Follow [Frida Android](https://frida.re/docs/android/)

```bash
# On KaliVM
pipx install frida-tools                                   

# On device
adb shell
uname -a
	Linux localhost 5.10.101-genymotion+-ab74 #1 SMP PREEMPT Thu Dec 1 14:03:02 UTC 2022 x86_64

# x86_64 -  Download frida-server-16.1.1-android-x86_64.xz
exit
wget https://github.com/frida/frida/releases/download/16.1.1/frida-server-16.1.1-android-x86_64.xz

7z x frida-server-16.1.1-android-x86_64.xz
mv frida-server-16.1.1-android-x86_64 frida-server

adb push frida-server /data/local/tmp/
adb shell "chmod 755 /data/local/tmp/frida-server"
adb shell "/data/local/tmp/frida-server &"
```

* Check **Frida** is working

```bash
frida-ps -U		# This is device output
     PID  Name
    ----  -------------------------------------------------------------
    5446  Google Play Store
    6085  Instagram
    1960  Phone
    5249  Wayzn
     473  adbd
    1268  android.ext.services
    [...]
```

* Download the [Instagram SSL Pinning Bypass](https://github.com/Eltion/Instagram-SSL-Pinning-Bypass) script 22:15 - Setting the proxy and showing us intercept instagram traffic

```
sudo mkdir -p /opt/android/instagram
cd /opt/android/instagram

sudo wget https://raw.githubusercontent.com/Eltion/Instagram-SSL-Pinning-Bypass/main/instagram-ssl-pinning-bypass.js
```

* Force stop Instagram app from App info
* Use Frida to start Instagram and load the script to bypass the SSL Checking

```bash
adb_set_proxy
frida -U -l ./instagram-ssl-pinning-bypass.js -f com.instagram.android
```

![](https://1099202751-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEhofjMfYbx3gOUSReXD7%2Fuploads%2Fgit-blob-d8d17a20bb0975fc3b7a671c60a84ee8b8cffac4%2F2023-07-02_18-07-35_139.png?alt=media)

* Show Instagram intercepted traffic in BurpSuite

![](https://1099202751-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEhofjMfYbx3gOUSReXD7%2Fuploads%2Fgit-blob-a393abc700ba4827e433371a406ee64849749c96%2F2023-07-02_18-09-42_140.png?alt=media)

***