A commercial, privative Android app is suspected to use an HTTPS API to get the data it shows up. The ability to obtain this data is valuable to us, so we apply different reversing techniques to find out where this API is located and how to use it.

Disclaimer: For privacy (and maybe legal) reasons, we will not disclose identifying details of the app which was reverse engineered.

As mentioned on the description, this post describes a (successful) attempt to discover the source of the data an Android app uses, which would allow us to write scripts and harvest this data for our own benefits.

The first reasonable assumption we make is that this source of data is an HTTP(s) API, probably REST. To test this out, we create an AVD (Android Virtual Device), throw the APK into it, and see what kind of traffic produces:

$ /opt/android-sdk/tools/emulator -avd MarshmallowPutillax64
$ /opt/android-sdk/platform-tools/adb install /tmp/target.apk

We launch wireshark along wiht our target app and wait:

wireshark

As expected, most traffic is set via port 443, and a previous non-encrypted HTTP requests seems to hint that this later traffic is indeed HTTPS. It’s time to start playing with proxies.

Fortunately, the android emulator has native support for HTTP Proxies. This is, we can tell the emulator to transparently forward any HTTP(s) requests through a user-defined proxy. To accomplish this, we just launch the emulator with the proper CLI option:

$ /opt/android-sdk/tools/emulator -avd MarshmallowPutillax64 -http-proxy 127.0.0.1:8080

Of course, we have some kind of MITM-capable proxy on port 8080 of our machine. There are several options out there, like mitmproxy or Burp Suite. I’ll use the later, simply because I’m more used to it.

Of course this isn’t enough. The proxy will intercept HTTPs connections on the fly and generate a custom ca-signed certificate for each domain, but the system won’t trust these certificates. To bypass this restriction, we need to export the CA certificate the proxy uses, and add it to the Android system..

burpca

We can now adb push this file to the AVD and add it via the system settings:

$ /opt/android-sdk/platform-tools/adb push /tmp/ca.crt /sdcard

After adding it to the system, we can now try to access any site with the web browser, and the certificates will be seen as good. And of course, the traffic log will appear in our proxy software.

androidbrowser

Now it’s time to try with the app!