intercept android https ssl traffic

intercept android https ssl trafficOne of the most important things in android application penetration testing is “Capturing Android application’s HTTPS traffic”. Reading HTTP traffic generated by android apps is some what easier than reading HTTPS traffic. Recently some peoples asked me about “how to get Facebook for Android access token”. It can be done by intercepting SSL / HTTPS traffic from Facebook application. So here it goes the easy way to intercept, read and modify ssl network traffic generated by android applications.

Things we need :
1) Android mobile phone.
2) WiFi Internet Connection.
3) Laptop or Desktop with Charles proxy installed.

Note : Desktop/Laptop should be connected to the same network connection where your mobile is connected. i.e. same WiFi connection.

Step 1 : Install intercepting proxy software (Charles proxy in our case)

Charles proxy is one of many good alternatives to Burp suite to perform Man in the Middle Attacks (MITM). Download charles proxy here. Read their documentation for any help related to installation.  By default, charles proxy listens to port number 8888. Charles proxy is available for Windows, Mac and Linux users.

Step 2 : Setup WiFi proxy in your android mobile


In your android mobile, go to Settings > Wi-Fi, long press the active network connection. Select “Modify network” > Tick “Advanced options”. Change none to manual under proxy drop down menu. Enter your computer’s local ip address (i.e. in host, 8888 in port. And also note down the local ip address of your mobile shown at the top of the Modify network menu. Please note that some older versions of android do not support WiFi proxy feature.

Step 3 : Install SSL certificate in android trusted credentials

Before installing ssl certificate, we need to add our android mobile’s local network ip in charles proxy access control list. Proxy – > Access Control Settings in charles proxy. Add the local ip we got from step 2 to the access control list. Download charles proxy ssl certificate zip here. Extract the certificate and copy it to your mobile’s SD storage. In your mobile, Settings > Security > Install (certificates) from Memory / SD Card and then select the certificate file.

Step 4 : Intercept SSL / HTTPS traffic

We can now intercept all HTTP traffic. For HTTPS, we need to enable SSL proxying in the settings of charles proxy. Proxy > Proxy Settings > SSL and select “Enable SSL proxying”. Add Hostname : * and Port : * in it. This will add all the domains and ports. You can change the wildcards as per your need.
That’s all we are done. Charles proxy shows all the requests made from android device. Make use of breakpoints in charles proxy to modify requests and responses. Now we can read and modify all the traffic (both http and https) generated by android applications which obey android proxy settings. Some apps disobey android proxy settings, we need to go for rooted android device in that case.

Also read how to hack Facebook and their prevention measures

For those who want to get the “Facebook for Android access token”, go to Facebook app in your mobile and you will be able to see the access token in Authorization header of every request sent to or in charles proxy.

I hope this post would be useful. Please let me know if you have any doubts.

Also read how to find Facebook ID of your page or group or profile using our online tool!

  • Thank you ,, so much i really love this experimental tutorials.

    i installed ssl in charlesproxy and it gets header from every website , but where i will get android facebook access token. sorry i cant find something like that

  • Anonymous

    You can't intercept the SSL communication if the app uses certificate pinning (to avoid man in middle attack)

    • You are right SSL Pinning prevents MITM attack. Try reverse engineering bypass.

  • Hello, does this method still work? I tried exactly the same thing and this is what I got

  • Isn’t there a way anymore to sniff Facebook’s Network Traffic? Always get an SSQL unknown_ca error

    • Laxman Muthiyah

      It is because of ssl pinning. Please try older versions of Facebook application to do so since they implemented ssl pinning recently.

  • limo

    how to use the burp suite