What is the best way to analyze requests sent by a mobile application over SSL?

Question

What is the best way to analyze requests sent by a mobile application over SSL? The communication protocol is not necessarily HTTP/S so intercepting them with BURP/ZAP/Fiddler or any other HTTP proxy will not necessarily work, but - How do I get the traffic to even reach the proxy?

I've read some material here relating to similar subjects but I couldn't find description of a complete flow I could follow to actually perform this task.

Does the device on which the application is installed need to be rooted for me to perform this task?

If the application uses certificate pinning, is there still a way to do this?

I am specifically interested in understanding how the Whatsapp security model works - i.e. what mechanism do they have in place to prevent a malicious user to fetch the chat history of a legitimate user (seeing as there is no actual login - Is there a cookie/another mechanism sent from the device identifying the user in front of the server?)

Explanation / Answer

you could use a few ways to achive that:

if you are using a mobile android device you could connect to a home wireless and use a computer as a host to do a MITM (man in the middle) and direct all of the mobile packets through your host and monitor the packets using wireshark(?)

if you are using an emulator such as BlueStacks you could install ProxyCap and edit the settings to redirect all bluestacks packets through your local ProxyCap.

there are some apps to install on an android device to redirect apps to a proxy but they do not work 100% also most apps does not apply to the proxy rule, also, a root phone gives more options an veriety when messing with this kind of stuff,

if you find more ways to do this please share :)

Related Questions

Navigate

• Browse (All)
• Browse W
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.