How to intercept and decrypt TLS traffic

This recipe is dedicated to intrepid users 😎

PiRogue comes with a pirogue-intercept-tls helper to help you intercept encrypted TLS traffic from applications, even in presence of SSL certificate pinning.

This helper is meant to:

  • capture the network traffic
  • instrument a given application

Requirements

To follow this recipe, you need:

  • an up-to-date PiRogue
  • a rooted Android device

Procedure

First, SSH onto your PiRogue. Attach your smartphone to the PiRogue through USB and make sure “USB debugging” is on and working.

Identify and install the application

Android applications are identified by their package name. As an example, the French weather forecast application is fr.meteo. You can get the package name either from Google Play URL or from any tool analyzing Android apps such as Pithus, Virus Total, etc. In our example, the Google Play URL looks like https://play.google.com/store/apps/details?id=fr.meteo, the package name of the application is specified after id=.

Once you have identified the application you want to analyze, you have to download and install it on your target device. If you need to download the application from Google Play, we recommend to use apkeep (not installed by default on PiRogue).

Finally, to install the application, run the following command:

adb install <APK file>

Don’t launch the application.

Instrument and intercept

Once the application to be analyzed is installed on your Android device, connect your device to the PiRogue Wi-Fi network and run the following command:

sudo pirogue-intercept-tls -U -f <application package name> -o <path to the output directory>

Adapt the command according to the application you want to analyze. It will launch the application for you and all collected data will be saved in the output directory you specified.

Command capturing TLS traffic

Now, interact with the application freely. When you are done interacting with the app, hit Ctrl+C on your keyboard to stop interception.

Decrypt and view

Since we run the previous command with sudo, we have to fix the permissions of generated files by running:

chown -R pi:pi <path to the output directory>

Then enter the output directory with:

cd <path to the output directory>
Command fixing file permissions

Next, we generate a PCAPNG file containing both the TLS keys and the captured traffic:

editcap --inject-secrets tls,sslkeylog.txt traffic.pcap decrypted.pcapng

Next, we export the decrypted traffic in JSON:

tshark -2 -T ek --enable-protocol communityid -Ndmn -r decrypted.pcapng > traffic.json
Command decrypting TLS traffic

Finally, to view the decrypted traffic, run:

pirogue-view-tls -i traffic.json -t socket_trace.json
Command displaying TLS traffic

If you face any issue, join the Discord channel to get help.