1.Install Burp Certificate on Android
this part you can see : 安卓APP测试之使用Burp Suite实现HTTPS抓包方法
2.Set Proxy
set proxy on burpsuite and mobile:
set proxy on mobile,ensure that burpsuite and test mobile at the same wifi.
3.Modify key API
So far,you can monitor many https connections such as self signed certificate with weak check, but you can still not monitor some cases, for example, an app use a CA that is trusted by Android (not self signed certificate), in this case, proxy will be rejected by system ( Official Document ).
The method to solve this problem is hooking or modifying framework.
In Android4.4 you can use Xposed to hook key function,it’s the easiest way, core code is here:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
final TrustManager[] trustAllCerts = new TrustManager[]{new X509TrustManager() { @Override public void checkClientTrusted( java.security.cert.X509Certificate[] chain, String authType) throws CertificateException { } @Override public void checkServerTrusted( java.security.cert.X509Certificate[] chain, String authType) throws CertificateException { } @Override public java.security.cert.X509Certificate[] getAcceptedIssuers() { return null; } }}; XposedHelpers.findAndHookMethod("javax.net.ssl.SSLContext", argfinal.classLoader, "init", KeyManager[].class,TrustManager[].class,SecureRandom.class, new XC_MethodHook() { @Override protected void beforeHookedMethod(MethodHookParam param) throws Throwable { super.beforeHookedMethod(param); param.args[1] = trustAllCerts; Logger.log_behavior("SuperSix666: hook https!"); } @Override protected void afterHookedMethod(MethodHookParam param) throws Throwable { super.afterHookedMethod(param); } }); |
Above Android5.0, you can modify framwork /libcore/luni/src/main/java/javax/net/ssl/SSLContext.java , and flash new framework to mobile.
With this approach,you can monitor almost all https traffic on Android.