Inspect encrypted packets on an Android device
It’s rather easy to decipher SSL encrypted traffic on any Android device. You install a self sign CA Certificate and bam!
With this attack you can read and tamper data on the fly, as long as you can catch the data flow.
Security implications
Adding a new certificate to your list of trusted credentials potentially gives the owner of that certificate the ability to impersonate any secure server such as a secure website or email server, defeating the verification mechanism of SSL. Only install new credentials from sources that you trust.
Source: http://tamingthedroid.com/trusted-credentials
Your best buddy
Packet Capture does all the work for you.
Download on Google Play
How it works
- Add trusted fake SSL certificate to your device
- Encrypt traffic with fake certificate
- Send traffic through your device VPN
- Decrypt with fake certificate
- Capture
- Encrypt with real certificate
- Send to destination
The following article explain how to set things up manually. Everything is explained thoroughly. If you read it carefully, you’ll understand the inner workings pretty easily.
Intercepting and decrypting SSL communications between Android phone and 3rd party server
How to prevent the attack
To prevent tempering you can sign the data with a public key and verify the signature on your server with the private key.
I’m still trying to figure out how to prevent decryption
Other revelant articles