LucasDevLucasDev

Android App Packet Capture

Mobile
357 words
AndroidReverse
Starting from Android 7.0, apps no longer trust User Certificates. If you need to perform HTTPS packet capturing on any app, you must first root the device. This article explains how to install packet capture certificates on Android 7.0+ devices with root permissions to achieve app traffic capturing.

Device Root (Using Pixel Device as an Example)

Device Preparation

  1. "Settings" -> "About phone", continuously click "Build number" until prompted that you have entered developer mode.
  2. After entering developer mode, go to "Settings" -> "System" -> "Developer options", and enable "OEM unlocking" and "USB debugging".

Install Android Platform Tools

  • For macOS, you can directly use Homebrew to install: brew install android-platform-tools
  • For Windows, download and unzip the files (download link), and configure the environment variables.
  • Verify the installation is complete: adb --version, fastboot --version.

Install Google USB Driver (Only for Windows)

Download the driver: https://developer.android.com/studio/run/win-usb

Connect the device to Windows, open "Device Manager", find the device, select to install the driver from the downloaded driver package to complete the installation.

Download Flash Package

Find the corresponding flash package for your model at https://developers.google.cn/android/images, download and unzip it.

Flashing

  1. Connect the device to the computer, ensure the device is connected properly: adb devices
  2. Reboot the device into bootloader: adb reboot bootloader
  3. Ensure the device is connected properly in bootloader: fastboot devices
  4. If the device shows "Device state: locked", you need to unlock the bootloader: fastboot flashing unlock
  5. Execute flash-all in the flash package, and wait for the flashing to complete.

Obtain Root Access via Magisk

Principle: Magisk patches the boot.img in the flash package, and flashing the patched img in bootloader grants root access.

  1. Download Magisk and install it on the device: adb install Magisk-v26.1.apk
  2. Open Magisk, if the Superuser option in the app's lower menu is not clickable, it means root access has not been obtained yet.
  3. Transfer the boot.img from the flash package to the device: adb push boot.img sdcard/Download
  4. Click "Install" in Magisk, select the received boot.img, and after installation, you will get a patched img file, for example, magisk_patched-26100_UdX9C.img.
  5. Transfer magisk_patched-*img back to the computer: adb pull sdcard/Download/magisk_patched-26100_UdX9C.img ./
  6. Reboot the device into bootloader: adb reboot bootloader
  7. Flash the magisk_patched-*.img to the device: fastboot flash boot ./magisk_patched-26100_UdX9C.img
  8. After flashing is complete, reboot the device: fastboot reboot
  9. Open Magisk, if the Superuser option in the app's lower menu is available, it means root was successful.

Install movecert Module

Function of the movecert module: After the user installs the SSL certificate to the user store and reboots the device, this module will move the certificate to the system store.

  1. Download the movecert module and push it to the device: adb push movecert-1.9.zip sdcard/Download
  2. Click "Install" in Magisk, and install movecert-1.9.zip.
  3. Click on Modules in the lower menu of Magisk to confirm the installation was successful.

Unroot the Device

  1. Reflash the original boot.img: fastboot flash boot ./boot.img
  2. Lock the bootloader: fastboot flashing lock

Related Posts

Comments

Pleaseto continueComments require admin approval before being visible

No comments yet. Be the first to comment!