![]() ![]() There's also requests elsewhere to set up the Facebook SDK and record data, configure Google ads, and to prepare to track app crashes later on. ![]() In here we can see Duolingo API requests to check authentication, record device & billing state, and read the app feature flags. Once that's done, you can start your target app, and immediately start examining its traffic!įor Duolingo for example, when you start the app you'll immediately see a big list of requests: This means that all HTTP and HTTPS from this device will be captured and shown in the HTTP Toolkit app. Once you've installed and started HTTP Toolkit, you should see an ADB option on the 'Intercept' page that looks like this:Ĭlick that, wait a few seconds, and you'll see the HTTP Toolkit app install and show a VPN setup prompt on the emulator:Īndroid interception uses a VPN which redirects all traffic from your emulator via the HTTP Toolkit app while the VPN is activated.Īccept this prompt, and you'll see confirmation that interception is setup and fully activated: ![]() If you haven't installed it yet, download it from here. It's open-source and all the core features are completely free. HTTP Toolkit is an HTTP debugger that can intercept, inspect & rewrite HTTP from any client, including Android. Next we need to intercept traffic from the emulator. That should print 'Success', and Duolingo will appear in the app menu on your emulator.To install the app we only need the first two, so run: adb install-multiple.If you extract the APK, you'll find 5 files: You can download the Duolingo XAPK from APKPure here.To install a normal APK you've downloaded into a running emulator, just run:Īs an example, let's install and intercept the Duolingo app: Some apps are published as APKs, and some are published as XAPKs (app bundles), but either one can be installed manually using adb, which comes with the Android developer tools. You can do it easily though by downloading the APK directly from a 3rd party mirror like and installing using the Android developer tools. Since we don't have Google Play, you can't do that from the normal app store. Once you've created your emulator, start it, and then we need to install the target app. The 'Google Play' target includes extra restrictions and is not easily interceptable. Uses a 'Google APIs' or 'Android Open Source Project' target image.Uses a relatively recent stable Android version - Android 7 to 13 should be fine. ![]() Uses an image matching your computer's architecture (ARM64 on M1/M2 Macs, x86_64 on most other computers) since the performance will be far better.Can be any device model, though things may be smoother with a popular device like a Pixel 4.To create an interceptable Android emulator, you should create an AVD, that: It is possible to create and start one using the Android SDK directly (see this article) but it's easiest to just install Android Studio, create an empty project, and use the developer tools provided there (if you're not familiar with these developer tools at all, there's an detailed official guide). Let's walk through how to do that, step-by-step: Setting up the emulator This means that you can't see their traffic with simple proxy tools, and you can't manually trust HTTPS debugging proxies without either editing and rebuilding the entire app, or setting up your own rooted device.įortunately, there's a quick & easy way around this: you can manually install official APKs into a normal Android emulator, which provides enough access that tools like HTTP Toolkit can capture all traffic for most apps for you totally automatically, and allow you to edit responses in just a couple of clicks. If you can see and edit these requests & responses then you can understand, debug, and change how any app works, but Android makes this hard to do.īy default, almost all apps will use HTTPS but won't trust user-installed certificates. HTTP is used by almost all Android apps to request data, load content, and send changes to backend servers. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |