Inspect encrypted packets on an Android device

It’s rather easy to decipher SSL encrypted traffic on any Android device. You install a self sign CA Certificate and bam!

With this attack you can read and tamper data on the fly, as long as you can catch the data flow.

Security implications

Adding a new certificate to your list of trusted credentials potentially gives the owner of that certificate the ability to impersonate any secure server such as a secure website or email server, defeating the verification mechanism of SSL. Only install new credentials from sources that you trust.

Source: http://tamingthedroid.com/trusted-credentials

Your best buddy

Packet Capture does all the work for you.

Download on Google Play

How it works

• Add trusted fake SSL certificate to your device
• Encrypt traffic with fake certificate
• Send traffic through your device VPN
• Decrypt with fake certificate
• Capture
• Encrypt with real certificate
• Send to destination

The following article explain how to set things up manually. Everything is explained thoroughly. If you read it carefully, you’ll understand the inner workings pretty easily.

Intercepting and decrypting SSL communications between Android phone and 3rd party server

How to prevent the attack

To prevent tempering you can sign the data with a public key and verify the signature on your server with the private key.

I’m still trying to figure out how to prevent decryption

Other revelant articles

• Android 4.0 add user certificates
• Working with certificates
• Issue 67037: Allow users to install own CA certificates
• End to End security, or why you shouldn’t drive your motorcycle naked