Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Sniffing an Android app to find API URL

Tags:

android

wireshark

packet-capture

packet-sniffers

network-security

I'm curious as to how I could figure out the API URL an Android application (any app I have installed) uses if it makes API calls to some online server (a RESTful service for example). I presume I have to capture packets on the device and maybe analyse them in Wireshark or something to find the URL? I'm fairly competent in Java/Android development, but a bit lost when it comes to any sort of network analysis business.

like image 578
derpyderp Avatar asked Dec 26 '13 01:12

derpyderp

People also ask

Where is API url stored in Android?

The best way in your case is store api url's in server because you can change them later. You'd create one url to fetch your api urls. Build your app based on an architecture like this. And don't forget anyone can see your server urls.

How do you get a url to hit an Android app?

Open your mobile phone network setting and set the http proxy and then you can grab request from you android app. Charles download url https://www.charlesproxy.com/。 Open WIFI wireless hotspot on your computer then connect to the hotspot。 Now you can use wireshark or httpScoop to grab request from you android app.

Do Android apps have a url?

Android App Links are HTTP URLs that bring users directly to specific content in your Android app. Android App Links can drive more traffic to your app, help you discover which app content is used most, and make it easier for users to share and find content in an installed app.

2 Answers

you can do this with help of WireShark. I am listing steps here

  1. Install WireShark on your computer
  2. now we have to create Android virtual device(AVD) so we will download Android SDK from official site. Android SDK come with emulator for testing
  3. after setting up Android SDK, create a Android virtual Device(AVD) on which we will install app
  4. start that virtual device. you can use command line to start (emulator @<AVD name>)
  5. after creating virtual device install app using adb command adb install app_file_name.apk
  6. now we can start capturing the packets so I will suggest to close other application on your computer which are using network so our captured packets would be more relevant.
  7. now start wireshark with root access

  8. select interface which you want to capture and click start to start capturing.

    wireshar start image

  9. now start using that app so packets will transfer to and fro and wireshark will capture it.

    list of packets

  10. if you have used app covering all sort of activity then you can stop wireshark to capture packets.

  11. now start main business to analyse packets carefully but not all packets are usefull for our job. so lets filter packets which are relevant for you. lets your IP address is 192.168.0.32 then filter all the packets whose IP is this. so filter expression will be ip.addr==192.168.0.32 apply this filter. still we an apply another filter to list up only relevant packets only so possibly that app is accessing API with HTTP protocol so apply HTTP filter. expression would be http. you can apply both are filter at once ip.addr==192.168.0.32 and http press enter to apply.

    wireshark details

  12. see the info carefully for listed packets you will see lot of important details, API keys, cookies etc

like image 132
Alok Avatar answered Sep 24 '22 12:09

Alok

A very fast method.
Go to PlayStore, search for Packet Capture

Download, install and run.
It's easy simple and fast. It will give you details about the APIs, URLs and response with their headers.

This application follows the concept of Packet Sniffing. Thus, this might not work with much secured applications like WhatsApp, Facebook, Twitter.

UPDATE 1:
The Packet Capture is no more available in playstore, try OS Monitor

UPDATE 2:
The Packet Capture is available again.

like image 33
reverie_ss Avatar answered Sep 23 '22 12:09

reverie_ss
Sign in to Comment

Related questions

Proper way to give initial data to fragments?
Android NumberPicker: Set min, max, default from XML
How to stop hack/DOS attack on web API
Does the presenter having knowledge of the Activity / Context a bad idea in the MVP pattern?
Making a HTTPS request using Android Volley
How to style the standard react-native android picker?
onTouchevent() vs onTouch()
Multiple Table SQLite DB Adapter(s) in Android?
Change icons in ActionBar dynamically
Android Open and Save files to/from Google Drive SDK
Get center visible item of RecycleView when scrolling
CardView background color states not being respected
Can I tweak my android emulator to make it fast?
Is Hibernate an overkill for an Android application? [duplicate]
Android SQLiteOpenHelper: Why onCreate() method is not called?
What is the difference between Android 4.4W (API20) and Android L (API20, L Preview) in the SDK Manager?
Android Gradle Project upgrading build tools to 21.0.1: aapt throws Exception
Android Color Picker [closed]
Getting a String from Plurals to use in XML?
Does EditText.getText() ever returns null?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!