Proxy Android emulator. A Guide To Charles Proxy for Mobile Development

Using an Android emulator for API hacking

Mobile apps are great targets for anyone interested in hacking APIs. Mobile apps will often connect to a supporting web application through an API.

By intercepting and reviewing the traffic with a tool like Burp Suite, you can get a pretty good understanding of how the API works and, if you’re lucky, spot some vulnerabilities.

As a matter of fact, you may want to check out this classic talk by Alissa Knight for Bugcrowd’s LevelUpX series explaining how she tested some fintech mobile apps and their supporting APIs and found hardcoded keys and tokens among other vulnerabilities.

So how does that work? Well, you need an Android emulator on your PC, whose traffic you can proxy through Burp Suite (hacking iOS apps requires a different workflow altogether that I won’t go into here).

On the emulator, you can either install your target apps directly using the Google Play Store, or use apps that you will have extracted as an APK file from an existing Android phone using APK Extractor.

Install Android Studio

There are a number of Android emulators around, such as Genymotion or Anbox. However, the one that worked best for me is Android Studio. It’s actually a full development environment for Android apps, that includes an Android emulator. This is how you install it on a Linux system:

Get the app from the Android Studio download page and save it to your home directory.

You will get a file called Android-studio-2021.3.1.17-linux.tar.gz (note that the version number will likely have changed by the time you read this article).

Unpack it with: sudo tar.xvzf Android-studio-2021.3.1.17-linux.tar.gz

cd into Android-studio/bin then run:./studio.sh

This completes the download and installs the full Android Studio application. A standard install takes up 6 Gb, but after creating a device, the install will take up 12 Gb. So make sure you have enough disk space.

Create and launch a virtual device

In Android Studio’s main window, click on the three vertical dots at the top right and select Virtual Device Manager.

Then, click on Create Device, at the top left of the window.

Now select a Nexus 5X then click Next.

Next, click on Pie. This will download the system image.

With Pie selected in the list, you can now click on Next.

Check the configuration and give your device a personalized name if you want to. Then click Finish.

To start the emulator, select the device in the list and click the start (triangle) button.

Your device starts up and appears in it own window.

Now you need to make sure your Wi-Fi access is functional.

Click on the surface of the device and move your mouse or pointer upwards. Then click on the Settings icon at the top right of the display.

Select Network Internet.

Then click on Wi-Fi. Make sure Use Wi-Fi is on and AndroidWifi is indicated as Connected.

If the connection is down, you may want to check your proxy settings. To do this, click on the three dots at the bottom of the side bar.

In the box that shows up, select the Settings panel, then in the Proxy section, make sure No proxy is selected. Click Apply if required. Then close the box. You should be good to go.

Set your virtual device’s CA certificate

Now you need to install a CA certificate (as a reminder, this is digital certificate that your virtual device’s web browser will need to access web sites using https).

Start Burp Suite, select the Proxy tab and the Options sub-tab.

Click the Import / export CA certificate button.

Under Export, choose Certificate in DER format and click the Next button.

Save the file and name it cert.cer. Now you can exit Burp Suite.

Open the file manager and drag the cert file onto the Android emulator device window.

proxy, android, emulator, guide

In the Android emulator device window, go to the Settings app. Then scroll down to the Security location panel

Go to the Encryption credentials section. Then click Install from SD Card.

From the burger menu at the top left, select Downloads. Then choose cert.cer.

Name the certificate Burp then click OK.

When you get the message ‘Attention. Before you can use credential storage, your device needs to have a secure lock screen’, click SET LOCK.

Then select Continue without fingerprint then PIN. In the Secure start-up screen that comes up, click NO.

In the following Set screen lock screen, type in a PIN code then click NEXT. Then re-enter your PIN and click CONFIRM.

In Notifications, select Don’t show notifications at all then click DONE.

You’re back in the Encryption credentials panel. Now to check the certificate is properly set, click on User credentials. You should see the Burp credential as the only item in the list.

Configure your device’s proxy settings

Still in the Android emulator device window, click on the three dots at the bottom of the side bar.

In the box that comes up, go to the Settings panel. Then in the proxy section, make sure Use Android Studio HTTP proxy settings is unchecked. Then select Manual proxy configuration. In the Host name field, type 127.0.0.1 and in the Port number field, enter 8080. Then click Apply. Then close the window.

Start hacking

To check your settings, start Burp Suite, then go to the Proxy tab and the Intercept sub-tab. Turn Intercept on. Then in the Android emulator device window, start an app and interact with it.

In the below example, I’m using The Comment App from the vAPI vulnerable training API. I’m creating a new user. The app sends a POST request that is intercepted by Burp and displayed in the Intercept screen.

Congratulations! Your Android hacking lab is ready.

You’re not totally done yet, though. Many mobile apps implement certificate pinning to secure https communications between the app and the API server. This will require some extra work to bypass. This involves using Apktool to decompile and repack the app. You can also use a tool like Frida. This is beyond the scope of the present article but this article by Paul Renato will put you on the right track.

Hi! I’m a tech journalist, getting my feet wet in ethical hacking. What you will find here is me taking notes on the tools and techniques I’m learning and offering answers to the questions I had when I first got started not so very long ago.

A Guide To Charles Proxy for Mobile Development

Nelida is a developer who has a passion for tacos and code. She’s been a professional developer for 12 years working with a wide variety of languages and platforms for mobile, web, and back end. When not coding, she likes to read, hike, travel and do field research to find the best tacos.

Raise your hand if you have a bad memory. Now raise your hand if you’ve ever used or heard about Charles Proxy.

Here at Detroit Labs we use Charles because it’s a very powerful tool for debugging and testing mobile applications. By recording and displaying the data sent and received by our mobile apps, we gain the visibility we need to reliably diagnose and fix problems and validate our work.

The downside? We use Charles on every project here and the setup is so intricate that it’s incredibly hard to remember! To keep tabs on work that I’ve done, and to make everyone else’s lives easier, I thought it would be nice to create and share documentation that will keep some of the most common and not-so-common Charles features fresh in your memory.

The goal of this guide is to be brief and concise, so I will not talk about Charles in depth or explain how it works. This guide details the steps necessary to set up Charles for iOS and Android development and provides helpful step-by-step instructions for some of Charles’ less common, but extremely useful features.

The guide will cover the following:

Setting Up Charles for an iOS Simulator and Android Emulator

The first step to use any of the other Charles features is to make sure we are able to “listen” to the traffic from our app. We have two options: setting up our simulator/emulator or setting up our Device. In this section, we will explain the first option.

iOS Simulator

  • Reset your simulator to make sure you don’t have old or bad certificates.
  • In Charles menu, go to: Help. SSL Proxying, and select Install Charles Root Certificate in iOS Simulators.
  • Restart your simulator.
  • Make sure you are listening for traffic on your computer. Go to the menu Proxy.macOS Proxy.
  • In Charles, make sure you have SSL Proxying enabled for the URLs you want to examine. For that, go to the menu Proxy.SSL Proxying Settings and Add the URL you are interested in. You can use to indicate a range of URLs.
  • Make sure to restart Charles after adding URLs in your SSL Proxying Settings.
  • If you haven’t already, click Start Recording in the top menu to start listening for traffic.
  • Run the app in the simulator. You should start seeing traffic! One way to confirm is by logging in to the app and searching for that particular network call. To make the search easier, you can add a filter in the Sequence view.

Android Emulator

  • In Charles menu, go to: Help. SSL Proxying, and select Install Charles Root Certificate on a Mobile Device or Remote Browser.
  • Write down your local IP address with the port number next to it and the URL that appears in the window.
  • Go to your Emulator settings and click in the Proxy tab. Select Manual Configuration and as host name and port enter the IP address and port from step 2. Click Apply.
  • In your Emulator’s device settings, go to Security. Screen lock and create a pin for the emulator. You will be asked to provide this anyway when it’s time to install Charles Certificate.
  • Inside the Emulator go to the web browser and enter the URL from step 2.
  • You will be asked to give a name for the certificate. Enter a name and tap OK.
  • Once you do that, you will need to enter your security pin from step 5. You will see a message when the certificate is installed.
  • In your Emulator’s device settings, again go to the network preferences and search for Cellular Networks or Mobile Network.
  • In Proxy and Port fields, enter the IP address and port from step 2. In the APN field, enter “http://”.
  • Turn airplane mode on and off so those changes take effect.
  • If you are using an Android version below Nougat you can skip this step and step 15. Create and add the following network security config file to your app.

Configuring an Android device to work with Burp Suite Professional

It’s possible to test web applications and mobile apps using a rooted Android device. To do this, you need to do the following:

  • Configure your Burp Proxy listener to accept connections on all network interfaces.
  • Connect both your device and your computer to the same wireless network.
  • To interact with HTTPS traffic, you need to install a CA certificate on your Android device at the system level.

Note

From Android 7 (Nougat) onwards, you need to use a rooted device in order to install a CA certificate at the system level. Rooting an Android device normally voids the warranty and there is a risk it could become unusable. Please understand the risks before proceeding.

Because of the diversity of Android devices and Android emulators, we can’t give specific instructions for every step of this process. However, we provide links to some external sites, which may help you to complete your configuration.

Step 1: Configure the Burp Proxy listener

To configure the proxy settings for Burp Suite Professional:

  • Open Burp Suite Professional and click Settings to open the Settings dialog.
  • Go to Tools Proxy.
  • In Proxy Listeners, click Add.
  • In the Binding tab, set Bind to port to 8082 (or another port that is not in use).
  • Select All interfaces and click OK.

Step 2: Configure your device to use the proxy

Make sure that your Android device is disconnected from the Wi-Fi network before you attempt to configure the proxy settings:

  • In your Android device, go to Settings Network internet.
  • Select Internet and long-press the name of your Wi-Fi network.
  • Select Modify.
  • From the Advanced options menu, select Proxy Manual.
  • Set Proxy hostname to the IP of the computer running Burp Suite Professional.
  • Set Proxy port to the port value that you configured for the Burp Proxy listener, in this example 8082.
  • Touch Save.

Step 3: Install a CA certificate on your Android device

In order to interact with HTTPS traffic, you need to install a CA certificate from Burp Suite Professional on your Android device. This step is complicated and it varies across devices and versions of Android.

In addition, you need to make further configuration changes in order to proxy HTTPS traffic from a Chrome browser that’s at version 99 or above.

For further information on how to perform these steps, you can refer to the following external links. Please note that we’re not responsible for the content of these pages:

Step 4: Test the configuration

To test the configuration:

  • Open Burp Suite Professional.
  • Go to Proxy Intercept and click Intercept is off to switch intercept on.
  • Open the browser on your Android device and go to an HTTPS web page.

The page should load without any security warnings. You should see the corresponding requests within Burp Suite Professional.

Note

On some Android emulators you will need to add the proxy details from the emulator settings menu rather than the native Network/Wi-Fi settings on the emulated device.

An error occurred, please try again.

proxy, android, emulator, guide

Continuous testing with new Android emulator tools

Developers often use the Android Emulator during their day-to-day development to quickly test the latest changes before they are being committed. In addition, developers are increasingly using the emulator in their continuous integration (CI) systems to run a larger suite of automated tests. To better support this use-case, we are open sourcing the Android Emulator Container Scripts and improving the developer experiences around two pain points:

  • Deployability. finding and running the desired version of Android Emulator.
  • Debuggability. tracking down bugs from remote instances of Android Emulator.

Deployability

Android supports a wide variety of hardware and software configurations, and the Android Emulator is no different. However, this wide variety can create confusion over environment configurations. How should developers obtain emulators and system images? What drivers are required? How do you run with or without CPU or GPU acceleration? (etc. etc.)

To address this we have launched:

  • Android Emulator Download Script. This script provides the current up-to-date lists of emulator images (both AOSP and with Google Play Services) as well as emulators binaries (supporting Linux, Mac OS and Windows). You can integrate this with your existing continuous integration system. Going forward, we aim to enhance this service to enable downloading of deprecated versions in addition to the latest versions to make it easier to reproduce historical test results.
  • Android Emulator Docker image generator. Android system images and the emulator is only one part of the story. For environment, drivers, and pre-installed system dependencies, we put together a Docker image generator. This creates the complete environment in which the Android Emulator runs. After you start up the Docker image, 1) port forwarding and ADB, or 2) gRPC and WebRTC, makes interaction with the emulator possible. Currently, the Docker image generator is designed to work in Linux. We are also looking at Mac OS and Windows hosts, so stay tuned!

To increase reproducibility, the underlying Dockerfile template makes the required command line flags and system dependencies more explicit (and reproducible via building Docker images from them). For hardware acceleration, note the.-privileged flag that is passed to run.sh; we assume CPU acceleration is available when running the emulator, and.-privileged is needed to run the containers with CPU acceleration (KVM) enabled.

For more details on how to create and deploy the Android Emulator image, go to the README.

Debuggability

When the emulator is running and a test or the emulator fails, it can be difficult to dive into the running environment and diagnose the error. Often, diagnosis requires direct interaction with the virtual device. We provide two mechanisms for direct interaction:

In the case of ADB, we allow all commands, such as logcat and shell, by forwarding a particular port from the Docker guest to the host. Because the current port is 5555, we’ll need to collect more feedback and do more research on how best to separate ports across different containers.

Remote streaming

Security note: With remote streaming, keep in mind that once the service is started, anyone who can connect to your computer on port 80/443 can interact with the emulator. So be careful with running this on a public server!

With remote streaming, you can run the emulator in a container, which is as interactive as running locally. Running the emulator in a container makes it easier to debug issues that can be hard to discover using ADB commands. You can access the emulator using a browser with WebRTC, which is used to stream the video, and gRPC, which is used to send mouse and keyboard events to the emulator. Remote streaming requires three containers:

  • A container that hosts the latest emulator
  • A container with an Envoy web proxy needed for gRPC
  • A container with nginx to serve the React web app

You can compose the Docker containers together using docker-compose, as described in the README. The containers bind to port 80 and 443, so make sure you do not have a web server running. A self-signed certificate will be offered if you point the browser to the host. If you point your browser to the host you should see something like the image below:

Again, keep in mind that anyone who can connect to your host can interact with the emulator. So be careful with running this on a public server!

Let’s scale testing!

Testing can seem to be a tax on development time. However, as many seasoned developers have seen, proper automated testing can increase development velocity as the code base becomes bigger and more complex. Continuous testing should give you confidence that the change you make won’t break your app.

proxy, android, emulator, guide

Mitmproxy and Android emulator

https://docs.mitmproxy.org/stable/howto-install-system-trusted-ca-Android/ Using mitmproxy, it’s possible to analyze HTTP(s) communication made by an application running in Android emulator.

mitmproxy setup

External mitmproxy docker volume needs to be created with the following command: docker volume create mitmproxy Once done, you can start mitmproxy: docker-compose up The mitmproxy web interface is available at http://localhost:8081 Once started, mitmproxy will generate a certificate which you have to retrieve.

mkdir /tmp/mycert pushd /tmp/mycert docker run.-rm.u (ID.u).v (pwd):/out.v mitmproxy:/in alpine cp /in/mitmproxy-ca-cert.cer /out cp mitmproxy-ca-cert.cer (openssl x509.inform PEM.subject_hash_old.in mitmproxy-ca-cert.cer | head.1).0

Proxy settings

To use your mitmproxy, you need to configure proxy settings in Android emulator Once you have done this settings, you can’t anymore browse HTTPS webpage: You need to install your generated mitmproxy certificate.

Permanent certificate installation using ADB

Please note that permanent certificate installation could only be done with a NON google play images. Use the following commands to copy certificate to emulator (replace c8750f0d by the hashed name of mitmproxy-ca-cert.cer

adb root adb shell mount.o rw,remount / adb push c8750f0d.0 /system/etc/security/cacerts adb shell chmod 664 /system/etc/security/cacerts/c8750f0d.0 adb reboot

Certificate installation on google play images

Once proxy is set, you need to go to mitm.it And then click to install your certificate.

After certificate is installed

You can browse HTTPS webpage: And at http://localhost:8081, you will have all your HTTP requests: For advanced usage, please refer to mitmproxy homepage

proxy, android, emulator, guide