How to capture traffic from a mobile app

when I switched to the iPhone 5s several weeks ago, I knew I wanted to keep my old Android phone to play around with for infosec purposes. A couple weeks I finally got an opportunity to do exactly that. We had an app that we needed to find out where information input into the app was being sent. The original idea was simple: setup a wireless network for just the device to connect to and wireshark the traffic. I had another idea though: run some sort of PCAP capture app from the device to collect the outgoing traffic.

The Method

  1. Download WiFinspect from Google Play

  2. Root the phone

  3. Run the capture

  4. Export the capture from the phone

Download WiFinspect from Google Play

There are several apps out there that do PCAP capture as well as other “security” type of functions. I decided on WiFinspect because the app is part of a dissertation at the University of Birmingham. The app requires root access to run the PCAP capture and a few other functions. To do that you have to root the Android device. Which is essentially the same thing as jailbreaking an iPhone.

Root the phone

I’m not going to go through the whole process step-by-step because I found a video that does a great job of that. These are the instructions for a HTC 3D Evo, if you have another phone a simple Google search should get you your own instructions:

Run the capture

Open WiFinspect. Next click ‘Network Sniffer’ then Start Sniffing. At this point you can close the app and go to the application and start poking around in it.

Once you’re done go back to the WiFinspect and select ‘Stop Sniffing.’

 

Retrieve the capture

I was using my old HTC 3D Evo, so all I had to do was simply plug the device up to my computer and select the option to use it as a disk drive. I then opened Windows Explorer and navigated to the Removable Disk drive that appeared under Computer. In there the WiFinspect app had created a folder ‘Wi-Fi Probe’ and in there was the PCAP I needed to analyze. Just drag and drop that PCAP onto the computer you’ll be using Wireshark.