Skip to content

Instantly share code, notes, and snippets.

@nirev

nirev/android_patch_apk_for_network_sniffing.md

Last active February 20, 2021 01:52
Show Gist options
  • Save nirev/355da1768e41d6c37edcd8aaa943fe47 to your computer and use it in GitHub Desktop.
Save nirev/355da1768e41d6c37edcd8aaa943fe47 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
android_patch_apk_for_network_sniffing.md

How to patch Android app to sniff its HTTPS traffic with self-signed certificate

requirements

  • apktool [1]

steps

  • Unpack apk file: apktool d app.apk
  • Modify AndroidManifest.xml by adding android:networkSecurityConfig="@xml/network_security_config" attribute to application element.
  • Create file /res/xml/network_security_config.xml with following content:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <base-config cleartextTrafficPermitted="true">
        <trust-anchors>
            <certificates src="system" />
            <certificates src="user" />
        </trust-anchors>
    </base-config>
</network-security-config>
  • Build patched apk: apktool b app -o app_patched.apk
  • If you see followint error try running apktool empty-framework-dir --force or run b command with parameter --use-aapt2
W: invalid resource directory name: /home/expert/Downloads/Zzzzzz/Zzzzzz_v0.0.0/res navigation
brut.androlib.AndrolibException: brut.common.BrutException: could not exec (exit code = 1): [/tmp/brut_util_Jar_5815054990385134498.tmp, p, --forced-package-id, 127, --min-sdk-version, 23, --target-sdk-version, 29, --version-code, 226000400, --version-name, 226.000.0, --no-version-vectors, -F, /tmp/APKTOOL14466004687895005947.tmp, -e, /tmp/APKTOOL4388243966604401097.tmp, -0, arsc, -I, /home/expert/.local/share/apktool/framework/1.apk, -S, /home/expert/Downloads/Zzzzzz/Zzzzzz_v0.0.0/res, -M, /home/expert/Downloads/Zzzzzz/Zzzzzz_v0.0.0/AndroidManifest.xml]

signing patched apk (option 1)

  • Generate keys to sign apk: keytool -genkey -alias keys -keystore keys -keyalg RSA -keysize 2048 -validity 10000 # password
  • Sign apk file: jarsigner -verbose -keystore keys /home/expert/Downloads/lancet/flixster_patched.apk keys

signing patched apk (option 2)

Generate a 1024 bit RSA keypair and store it in the key file using openssl:

openssl genrsa -out key 1024

Next, convert the key to PKCS#8 as required by APK. The key in PKCS#8 format will be placed in key.pkcs8:

openssl pkcs8 -topk8 -in key -out key.pkcs8 -outform DER -nocrypt

Now generate a certificate, sign it with our key, and store it in cert.pem:

openssl req -x509 -new -key key -out cert.pem -days 3650 -nodes -subj '/CN=example.com'

Next, zipalign the APK!

zipalign 4 app-modified.apk app-modified-zipaligned.apk

Finally, sign the APK file with apksigner using the key and certificate we generated above.

apksigner sign --key key.pkcs8 --cert cert.pem --out app-modified-signed.apk app-zipaligned.apk

extra

  • If necessary convert apk to jar for further analysis: d2j-dex2jar.sh [email protected]
  • To find what cyphers suites are supported by remote server calls: nmap --script ssl-enum-ciphers -p 443 youtubei.googleapis.com or sslscan youtubei.googleapis.com
  • To check what cypher suites your client supports query https://www.howsmyssl.com/a/check

[1] https://ibotpeaches.github.io/Apktool/

refs: https://hurricanelabs.com/blog/modifying-android-apps-to-allow-tls-intercept-with-user-cas/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment