This is a gist used in the following blog posts:

• How to MitM Attack the API of an Android App
• How to Bypass Certificate Pinning with Frida on an Android App

In order to intercept the traffic we will need a proxy interceptor tool, and in this tutorial we will use the mitmproxy CLI interface from within a docker container, but feel free to install it by using any other method listed in their docs.

Download the mitmproxy docker image:

sudo docker pull mitmproxy/mitmproxy:6.0.2

Test it works with:

sudo docker run --rm -it mitmproxy/mitmproxy:6.0.2 mitmproxy --version

The output should look like this:

Mitmproxy: 6.0.2
Python:    3.8.5
OpenSSL:   OpenSSL 1.1.1i  8 Dec 2020
Platform:  Linux-5.4.0-71-generic-x86_64-with

Before we add the mitmproxy certificate to the emulator’s system trusted store we need to first start mitmproxy, so that its certificate is created at ~/.mitmproxy.

To start mitmproxy we also need to provide the IP address where it will be listening to, and we will use our WiFI IP address because it will be later easy to proxy the emulator through it. Find the WiFi IP Address The emulator will need to reach the proxy via the wifi network where mitimproxy will be listening on port 8080.

To find the wifi ip address:

ip address | grep -i wlp -

You should see something like this:

3: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.0.08/24 brd 192.168.0.255 scope global dynamic noprefixroute wlp3s0

The IP address in bold will be necessary to start the mitmproxy and the emulator, thus you should replace it with your own one in any subsequent command you find it being used and highlighted in bold. Run mitmproxy listening on the WiFi network

Open a new terminal window or tab and execute:

sudo docker run --rm -it -v ~/.mitmproxy:/home/mitmproxy/.mitmproxy -p 192.168.0.08:8080:8080 mitmproxy/mitmproxy:6.0.2 mitmproxy --showhost --view-filter "shipfast" --view-filter "auth0"

NOTE: We use the --showhost option to be able to see the domain instead of just the IP address for each http request in the mitmproxy console output. The --view-filter options are to limit the output to requests containing the word shipfast or auth0 in the URL, because they are the only API backends the app communicates with, otherwise the output will be very noisy, due to all the other HTTP requests being done by the Android OS and other apps installed.

The proxy is now listening on port 8080 for the IP address of your WiFi network.

Create the Python virtual env with:

python3 -m venv frida-venv

Activate the virtual env:

source frida-venv/bin/activate

Now that we are inside the virtual env, it is time to update it:

pip3 install -U setuptools

Next, install the the Frida tools package with:

pip3 install frida-tools

Finally, test that Frida is correctly installed:

frida --version

To use some of the tools bundled with Android studio we need to add them to the $PATH environment variable and set the $JAVA_HOME variable.

If your $JAVA_HOME is not set then you need to set it:

export JAVA_HOME=/opt/android-studio/jre/jre

Check that the avdmanager is in the path:

avdmanager

If it says that the command is not found then add it to the path with:

export PATH=~/Android/Sdk/tools/bin:$PATH

Try it out by listing the available targets:

avdmanager list target

Check the command is installed:

emulator

If it says that the command is not found then add it to the path with:

export PATH=~/Android/Sdk/emulator:$PATH

Test it by listing your current emulators:

emulator -list-avds

If not already present in your Android installation, you need to add it.

Start by installing the platform tools with:

sdkmanager "platform-tools" "platforms;android-29"

Next, install the system image with:

sdkmanager "system-images;android-29;google_apis;x86"

Finally, accept all package licenses with:

sdkmanager --licenses

Let’s create a Pixel AVD for Android API 29 with:

avdmanager create avd --name pixel-android-api-29 --package "system-images;android-29;google_apis;x86" --device "pixel"

Add the physical keyboard support:

echo "hw.keyboard=yes" >> ~/.android/avd/pixel-android-api-29.avd/config.ini

To be able to add the mitmproxy certificate as a trusted certificate in the emulator we need to first make its file system writable.

Let’s start the emulator in writable mode:

emulator -avd pixel-android-api-29 -writable-system &> /dev/null &

Restart adb as root:

adb wait-for-device && adb root

The output should look like:

restarting adbd as root

In Android 29 we need to disable verification of the filesystem before we remount it as writable:

adb shell avbctl disable-verification

The output should look like this:

Successfully disabled verification. Reboot the device for changes to take effect.

Reboot for changes to take effect:

adb reboot && adb wait-for-device

After the device have completed is reboot:

adb root

Remount adb:

adb remount

output should look like:

# ... some omitted output

remount succeeded

For mitmproxy to be able to intercept the traffic coming from the Android emulator is necessary that we add it’s certificate to the trusted store, and we will follow their docs instructions.

Create a hash of the certificate to use as the filename:

FILENAME=$(openssl x509 -inform PEM -subject_hash_old -in ~/.mitmproxy/mitmproxy-ca-cert.cer | head -1).0

Copy the certificate to a new file that uses the hash filename computed in the previous step:

cp ~/.mitmproxy/mitmproxy-ca-cert.cer $FILENAME

Push the certificate to the system trusted store of the emulator:

adb push $FILENAME /system/etc/security/cacerts

Give the certificate the correct permissions:

adb shell "chmod 664 /system/etc/security/cacerts/$FILENAME"

Reboot the emulator for changes to take effect:

adb reboot && adb wait-for-device

After the boot is completed you can move to the next step.

Get the Android architecture:

adb shell getprop ro.product.cpu.abi

The output should look like:

x86

Now that we know the architecture is x86 we can use it to download the Frida server:

curl -Lo frida-server.xz https://github.com/frida/frida/releases/download/14.2.9/frida-server-14.2.9-android-x86.xz

After the download it’s finish we need to decompress it with:

xz -d frida-server.xz

Next, we will push the frida-server into the Android device with:

adb push frida-server /data/local/tmp

Give it executable permissions:

adb shell "chmod +x /data/local/tmp/frida-server"

Now, open another shell in your computer to start the frida-server inside the Android device or emulator.

Switch adb to the root user with:

adb root

Start the Frida server in the background with:

adb shell "/data/local/tmp/frida-server&" &

Now, check the frida-server is running on the device:

frida-ps -U

The output should be a process list:

 PID  Name
----  ---------------------------------------------------
5310  adbd
1687  android.hardware.audio@2.0-service
1790  android.hardware.biometrics.fingerprint@2.1-service
...