💾 Archived View for snowcode.ovh › tech › mitmproxy.gmi captured on 2023-04-26 at 13:08:23. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2022-01-08)

-=-=-=-=-=-=-

How to monitor HTTP(S) requests of an app on Android

I initially wanted to reverse engineer CovidScanBE but I discovered something surprising. Finding out that CovidScan is an Android App Bundle (AAB) took me hours, and that's the reason why the install always failed: it missed other files.

Now it's fixed but I really don't understand what happens.

Step 1: Installing requirements

The requirements for this tutorial are as follow:

adb (android-tools and android-sdk)

apktool

mitmproxy

SAI

Step 2: Patching the APK to allow self-signed certs

This part is only for Android 7.0 and above. Because of a change in Android's API, apps don't trust user certificates by default, so we need to edit the app to change that.

First we need to install CovidScan on the device from the PlayStore.

Then, let's create a directory for our project:

mkdir covidscan/
cd covidscan/

Once it's done, we can connect the phone to the computer and extract the APKs. Make sure to have USB Debugging and developper options enabled.

adb devices
adb shell pm list packages

This will list all the packages, among those, one of them is covidscan. The name is "be.fgov.ehealth.DGC.scan". So let's get the path to all the APKs and extract them

for file in $(adb shell pm path be.fgov.ehealth.DGC.scan | sed 's/package://')
do
    adb pull $file .
done

Now we need to patch "base.apk" and re-build the file.

apktool d base.apk
sed -i 's|<application |<application android:networkSecurityConfig="@xml/network_security_config" |' base/AndroidManifest.xml
nano base/res/xml/network_security_config.xml
# Paste the config there
apktool b base -o base.apk

Here's the config you need to paste:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <base-config>
        <trust-anchors>
            <certificates src="system" />
            <certificates src="user" />
        </trust-anchors>
    </base-config>
</network-security-config>

Now let's put all the APK files into a zip .apks file

zip covidscan.apks *.apk

Now send this file to your device and open it with SAI (make sure to have the Zip and Sign options enabled in the settings of SAI)

python3 -m http.server

Now uninstall the app you installed using the playstore and open the .apks with SAI to install it. And tada!

Step 3: Setting up mitmproxy

First let's run the daemon:

mitmproxy

Now let's add this to the phone and include the certificate:

1. Go into Settings > Wireless > Wifi and long press on a wifi then click on "modify"

2. Click on show advanced options > Proxy > Manual and enter the IP of your computer as hostname and 8080 as port

3. Open mitm.it on your phone, click to download the android cert, open it and add it as "VPN" with the name "mitmproxy"

Step 4: Using the app and monitoring the requests

Now you can open the app and start using it while looking at what's happening on your laptop's log. And that's where things get weird... Nothing happens. It kind of like this app is working offline and I really don't understand that.

I never thought about trying to open the app in airplane mode, as I never expected something like this could work in such a way.

How can it check the validity of a vaccine certificate without access to the internet? It seems it only needs 1 request per day, all the rest of time it's offline.