Stefan Arentz, October 2020
How to sniff network traffic from Fenix. You can install a certificate for an intercepting proxy and setup a proxy pretty easily, but Android won't show you traffic of applications that have explicitely opted-in to allow this.
This gist explains how to modify Fenix (or any APK really) to allow this.
You do not need a rooted device, but you may have to delete all copies of FIrefox (Beta, Nightly, Release) before this works.
Note this will only show native traffic that goes through the Android network stack. In Fenix this is only third-party SDKs like Leanplum and Sentry. All browser traffic (pages, icons, services) goes through Mozilla's HTTP client, which you can intercept by using Remote Debugging or by configuring an intercepting proxy directly in Firefox. (Not covered in this document - probably should )
Note 2 - Looks like Fenix picks up the system proxy settings. So after going through this guide, browser traffic will also go through
mitmproxy. However - encrypted traffic will not work because the mitm proxy certificate was not imported into Firefox. How to do that is a TODO.
Grab the version of Fenix that you want to inspect from the Fenix Releases page.
Install apktool. (Example is macOS)
brew install apktool
Unpack the archive
apktool d fenix-82.1.1-arm64-v8a.apk
You should now see an unpacked application archive:
stefan@Pegasus ~/Downloads> ls -l fenix-82.1.1-arm64-v8a
total 56
-rw-r--r-- 1 stefan staff 22849 21 Oct 13:07 AndroidManifest.xml
drwxr-xr-x 3 stefan staff 96 21 Oct 13:07 META-INF/
-rw-r--r-- 1 stefan staff 1522 21 Oct 13:07 apktool.yml
drwxr-xr-x 28 stefan staff 896 21 Oct 13:07 assets/
drwxr-xr-x 88 stefan staff 2816 21 Oct 13:07 kotlin/
drwxr-xr-x 3 stefan staff 96 21 Oct 13:07 lib/
drwxr-xr-x 4 stefan staff 128 21 Oct 13:07 original/
drwxr-xr-x 194 stefan staff 6208 21 Oct 13:07 res/
drwxr-xr-x 16 stefan staff 512 21 Oct 13:07 smali/
drwxr-xr-x 3 stefan staff 96 21 Oct 13:07 smali_classes2/
drwxr-xr-x 14 stefan staff 448 21 Oct 13:07 unknown/
Edit the AndroidManifest.xml and add the following attribute to the <application> tag.
android:networkSecurityConfig="@xml/network_security_config"
It should look like this for Fenix 81:
<application android:allowBackup="false"
android:appComponentFactory="androidx.core.app.CoreComponentFactory"
android:icon="@mipmap/ic_launcher" android:label="@string/app_name"
android:name="org.mozilla.fenix.MigratingFenixApplication"
android:requestLegacyExternalStorage="true"
android:roundIcon="@mipmap/ic_launcher_round"
android:supportsRtl="true"
android:theme="@style/NormalTheme"
android:usesCleartextTraffic="true"
android:networkSecurityConfig="@xml/network_security_config">
(Without line breaks)
Drop the following file in res/xml/network_security_config.xml:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config>
<trust-anchors>
<certificates src="system" />
<certificates src="user" />
</trust-anchors>
</base-config>
</network-security-config>
Now package the app back together again with:
apktool.jar b fenix-82.1.1-arm64-v8a -o fenix-82.1.1-arm64-v8a_mitm.apk --use-aapt2
Generate a key to sign this APK with:
keytool -genkey -alias fenix_mitm -keystore fenix_mitm_keys -keyalg RSA -keysize 2048 -validity 10000
(You can accept all the defaults for questions it asks. Remember the password.)
Sign the APK:
jarsigner -verbose -keystore fenix_mitm_keys fenix-82.1.1-arm64-v8a_mitm.apk fenix_mitm
Remove official Fenix from your device - because the installed version is already signed, you cannot overwrite it with this version.
Install via adb:
~/Library/Android/sdk/platform-tools/adb install fenix-82.1.1-arm64-v8a_mitm.apk
If this fails with a INSTALL_FAILED_SHARED_USER_INCOMPATIBLE error then you will also have to delete Beta and Nightly before Android allows you to install this re-signed version.
Many tools exist, here are the instructions with mitmproxy which you can install with brew install mitmproxy.
Start mitmproxy in a terminal window:
brew install mitmproxy
mitmproxy
For this to work your your Android device must be able to reach your Mac on the local network. Find out your Mac's IP address and then open https://192.168.0.x:8080 in any browser on your Phone. You should see a MITM Proxy landing page.
Following the following path:
- Settings
- Network & Internet
- Wi-Fi
- Network Settings (Gear Icon next to the network name)
- Advanced
- Edit (Pencil icon in the toolbar)
- Advanced Options
- (Almost there)
- Scroll down to
Proxy
In the proxy settings use:
- Manual
- Proxy hostname:
192.168.0.x(your Mac IP Adress) - Proxy port:
8080
Save.
To test, open http://captive.apple.com in Chrome (Important!) and you should see this request in your terminal window running mitmproxy. This works because it is a HTTP request. To see HTTPS requests, follow the next step.
In Chrome (Important!), open http://mitm.it. You should see a page that says Click to install your mitmproxy certificate. Tap Android. Chrome will open it - give the certificate a name like mitmproxy and select VPN and apps for the Credential use setting.
Now you should be able to proxy HTTPS traffic. To test, in Chrome (Important!) open any https: site and you should see the traffic in your mitmproxy.
Traffic appears as you browse. Use the up/down arrow keys to scroll through the list. Hit return on any request to see details. In the details you can switch between request, response, details with the left/right arrow keys. Hit q to go back to the previous screen.