Android system packet capture and feeding tutorial! Have you learned it?

1. Introduction

Hello everyone, I am Anguo!

Before writing a crawler, we need to capture the target application and analyze it before we can start writing the script.

For those who use iPhone, daily packet capture is not too easy. PC tools, such as Charles and Fiddler, are enough; "Stream" is a very powerful network packet capture application on iOS, with a simple interface and powerful functions.

But for those who use the higher version of Android system, packet capture is not so convenient! Because the higher version system has improved the security policy, the CA certificate must be placed in the system certificate directory to capture packets normally. The certificate installed by the user defaults to the user certificate, which makes many apps unable to capture packets normally.

This article will introduce the steps of packet capture in Android high version system based on common scenarios.

2. Non-Rooted Devices

Android also has a powerful network packet capture tool, namely: Little Yellow Bird "HttpCanary"

The specific steps are as follows:

2-1 Export HttpCanary root certificate

After installing the Little Yellow Bird App, go to the settings page and export the HttpCanary root certificate

Select "System Trusted(.0)" as the type

In this way, the HttpCanary root certificate is saved to the "internal storage path/HttpCanary/cert/...0" directory

2-2 Install APKPure and VMOS Pro apps

VMOS PRO download address: https://apkpure.com/cn/vmos-pro/com.vmos.ggp

PS: Since the VMOS PRO application format is XAPK, it is recommended to install the XAPK format application through APKPure

2-3 VMOS imports RE application, target application and HttpCanary root certificate

Open the VMOS Pro application, import the Root Explorer application, target application, and HttpCanary root certificate file

In this way, VMOS includes the target application, RE file management application, and the HttpCanary root certificate file is saved to "VMOSfiletransferstatio/" by default.

2-4 Import the certificate into the system certificate directory

In VMOS Pro, use the RE application to move the HttpCanary root certificate file to the system certificate directory.

System certificate directory: /system/etc/security/cacerts/

2-5 Start capturing packets

Open the Little Yellow Bird App, set the target application to "VMSO", then turn on the packet capture switch on the main interface, and finally operate the target application in VMOS

The network requests of the target application will be displayed in the list of the main interface of the little yellow bird.

It should be added that the "Parallel Space" is more recommended for packet capture in the Little Yellow Bird HttpCanary application, but in actual use, it was found that there were problems such as flashbacks and plug-in installation, so it is not recommended.

3. Root your device

If the phone has been rooted, we only need to move the third-party certificate (such as: Little Yellow Bird, Charles, etc.) to the system certificate directory.

Here we use the Yellow Bird App and Charles to explain, Fiddler is similar

3-1 Little Yellow Bird App Packet Capture

The steps are as follows:

• Unlock and root your phone
• Install the HttpCanary app and export the HttpCanary root certificate. The format selection is the same as above.
• Copy the CA certificate to the PC via a data cable
• Download adb on PC and configure environment variables
• Use the following series of adb commands to push the certificate to the system certificate directory:
• Open the Yellow Bird app and set the target app
• Click the capture button on the main interface of the little yellow bird to capture the target application.

 # Grant adb root permissions
 adb root
 # Disable system authentication
 adb disable -verity
 # Restart your phone
 adb reboot

 # Grant adb root permissions
 adb root

 # Before pushing files to the '/system' folder, you must first enter the command 'adb remount'
 adb remount

 # Copy the certificate to / system / etc / security / cacerts /
 # adb push 87 bc3517 .0 / system / etc / security / cacerts /

 # Restart
 adb reroot

 # Check whether the imported CA certificate is included
 adb root
 adb shell
 cd / system / etc / security / cacerts /
 ls

3-2 Charles captures the packet

The steps are as follows:

• Charles downloads the certificate (for example, CER certificate) in the help and copies it to the phone via a data cable
• Find this certificate in the file manager and install it manually
• By default, it will be installed in the user certificate
• Installation directory: /data/misc/user/0/cacerts-added/
• Use the following adb command to enable read and write permissions for the phone's system directory
• Install the RE file management application and grant root permissions, move the above certificate from the user certificate directory to the system certificate directory
• System certificate directory: /system/etc/security/cacerts
• Restart your phone
• Packet capture test

Check the IP address of the PC, keep the phone in the same LAN, set it to manual proxy, and finally capture the packet for testing

 # Execute with root privileges
 adb root
 # Disable system authentication
 adb disable -verity
 # Restart your phone
 adb reboot
 # Run with root privileges
 adb root
 # Remount
 adb remount

4. Final Thoughts

The above briefly describes the packet capture process in various scenarios of high-version Android systems based on whether the phone is rooted.

In addition to the above packet capture methods, there are many other options. For rooted devices, we can install Magisk mask and use movecert module to capture packets; or we can use EdXposed framework + trustmealredy module to capture packets. In actual work, we can choose the method that suits us according to our needs.