Step by step explanation on how to reverse engineer an API using Wireshark, MitmProxy and Frida (Android).
- Wireshark - (https://www.wireshark.org/)
- Frida - (https://frida.re/)
- Mitm Proxy - (https://mitmproxy.org/)
First Create an evironment variable with the name 'SSLKEYLOGFILE' using the following command:
$ export SSLKEYLOGFILE=<LOCATION_TO_SSLKEYLOGFILE>
N.B: LOCATION_TO_SSLKEYLOGFILEcan be a path of your choice, file will be created automatically after.
After setting the ENV variable you have to set a proxy, either to your browser or to your system.
The proxy should point to localhost on port 8080 unless you have changed mitm default configuration settings.
To start mitm proxy just open a new terminal and type
$ mitmweb # For web version
$ mitmproxy # For terminal versionNow using mitm proxy you can reach and intercept all HTTP domains but when you try to surf on an HTTPS domain it will warn you that it's not secure to proceed.
To avoid this problem you have to simply download Mitm Certificate going on http://mitm.it.
Then select your operating system, download the certificate and install it.
This way you can also reach HTTPS domains without getting that warning.
To populate SSLKEYLOGFILE you have to navigate through different pages using SSL / HTTPS such as https://www.google.it so that SESSION KEYS
will be created inside of SSLKEYLOGFILE.
This step is really important, without it you cannot proceed in any way.
After configuring the proxy we need to setup wireshark.
First of all open wireshark and go to:
Edit -> Preferences -> Protocols -> TLS -> (Pre)-Master-Secret log filename
and select the target SSLKEYLOGFILE that has been generated before.
Now just start a new Wireshark scan on the target network-adapter and see all your requests (HTTP/HTTPS etc.) being logged on your screen.
In order to sniff packets of android apps you need to:
- Configure an android emulator
- Set proxy on the android emulator
- Install frida-server on android-emulator
- Disable SSL pinning of the App
The first thing to do is to configure an android emulator; the best way
is to use Android Studio Emulators.
When you are creating an emulator is important to choose a version that does not support
Google Play Store in order to gain root access to the device.
Once that the emulator is configured and started we have to setup the proxy on it. Just go
to android emulator settings and set a proxy with host localhost and port 8080.
Now you need to install frida-server, you can download it from the official repo:
After downloading frida, drag and drop the extracted content of the zip file into the emulator. Dragged file will be available into the download folder.
At this point enter inside the emulator with a shell with the following command:
$ adb root # Gain root permission in the shell
$ adb shell # Enter inside the android emulator with a shellThen copy frida-server in /data/local/tmp
$ cd storage/emulated/0/Download
$ cp frida-server-x.y.z-android-<architecture> \
/data/local/tmp/frida-server
Last thing to do is to start the frida-server doing the following:
$ ./frida-server &To install Objection on pc we just need the following command:
$ pip3 install objectionFirst we need to find the package of our app.
$ adb shell ps # Look for your app package -> ex. com.example.orgOnce you found the package connect to the frida process
$ objection -g <package-name> exploreWhen connection has been established, disable SSL Pinning
$ android sslpinning disableInstead of using objection, which most of times fail bypassing SSL pinning, we can use a script that I found here: https://github.com/httptoolkit/frida-android-unpinning
You just have to downlaod the file: frida-script.js
Once downloaded we have to install frida-tools with the following command:
pip3 install frida-tools
Now just execute:
$ frida --no-pause -U -l ./frida-script.js -f $TARGET_PACKAGE_NAMEAt this point SSL should be disabled for your application and now you can use it sniffing all requests. Requests can be seen in wireshark.
Jacopo De Gattis