Man In The Middle Android APK Network Traffic

android apk malware analysis man in the middle
Today we examine how we can Man In The Middle (MITM) Android APK HTTPS traffic for further inspection during a malware analysis session.
MD5
6ac138f455d28fa15c3881ca48aca615
Video

Details

Since debugging 3rd party APKs is hard and reverse engineering heavily obfuscated APKs is extremely difficult our next best option is to just let the APK run to see how it behaves. When we do this type of dynamic analysis we are primarily looking for what types of permissions the APK is asking for and what callouts it makes. 

Unfortunately most APK malware is now utilizing HTTPS for their callback domains. This makes inspecting the network traffic impossible with network monitoring software like wireshark or tcpdump without some sort of Man In The Middle technique.  

Being able to inspect the malware's network traffic provides vital Indicator's of Comprimise (IOCs) to triage analysts and provides reverse engineers with contextual information which helps them focus on key routines within the APK.

In this video tutorial we go over how to utilize a tool name MITMProxy on Kali Linux to intercept and decrypt IPV4/IPV6 traffic from an Android emulator running APK malware.

What You'll Need