简体繁体 English

如何从Android模拟器到远程服务器嗅探HTTPS流量？

[英]How to sniff HTTPS traffic from Android emulator to remote server ?

原文 2012-08-01 08:48:50 5 4 android/ fiddler/ sniffer

I want to monitor HTTPS traffic from my application to remote server. 我想监视从我的应用程序到远程服务器的HTTPS流量。 I am trying to follow this instruction and it works for HTTP (without s ), but not for HTTPS . 我试图遵循这个指令，它适用于HTTP （没有s ），但不适用于HTTPS 。

What is wrong? 怎么了？ Should I write some custom code in my application to use https-proxy ? 我应该在我的应用程序中编写一些自定义代码来使用https-proxy吗？

4 个解决方案

The easiest way to do this is to use CharlesProxy to proxy your device or emulator traffic for you. 最简单的方法是使用CharlesProxy代理您的设备或模拟器流量。 The only extra step you need to do is to install the CharlesProxy SSL certificate on your device/emulator which is very straight forward: 您需要做的唯一额外步骤是在您的设备/模拟器上安装CharlesProxy SSL证书，这非常简单：

Download the certificate from Charles Proxy (it's in their help menu) and place it on your device, then install via security settings on your device. 从Charles Proxy下载证书（位于帮助菜单中）并将其放在您的设备上，然后通过设备上的安全设置进行安装。

You then configure your device or emulators network connection to use a manual proxy and set it to the Charles Proxy address and port. 然后，配置设备或仿真器网络连接以使用手动代理并将其设置为Charles Proxy地址和端口。 Enable SSL proxying and your SSL connections will be securely routed end-to-end via Charles and Charles will be able to show you the content of requests and responses in the clear. 启用SSL代理，您的SSL连接将通过Charles和Charles安全地进行端到端路由，并且能够以明文方式向您显示请求和响应的内容。

I'm using WireShark for sniffing, it allow you to monitor and filter raw data. 我正在使用WireShark进行嗅探，它允许您监视和过滤原始数据。 But because you using https and all transactions encrypted i suppose it can't help you. 但是因为你使用https和加密的所有事务我认为它无法帮助你。 May be you can switch from https to http for debug, and later when all will be works fine change protocol back to https 可能是你可以从https切换到http进行调试，稍后当所有工作正常时将协议改回https

Do you mean you can't see the traffic at all or do you get it encrypted? 你是说你根本看不到流量还是加密了？ Is this a web application or native application? 这是一个Web应用程序还是本机应用程序？ which Android version are you using? 您使用的是哪个Android版本？ phone or emulator? 手机还是模拟器？

Normally, if you set up the proxy properly, you will get the traffic, but encrypted so you can't read it. 通常，如果您正确设置代理，您将获得流量，但加密，因此您无法读取它。 In order to see the actual content in Fiddler you would need your device to trust Fiddler's root certificate (used to create fake certificates on the fly). 为了查看Fiddler中的实际内容，您需要您的设备信任Fiddler的根证书（用于动态创建假证书）。 See this: 看到这个：

http://www.fiddler2.com/fiddler/help/httpsdecryption.asp http://www.fiddler2.com/fiddler/help/httpsdecryption.asp

Unfortunately, I have not found a way to add root certificates to an android device other than rooting it and replacing the certificate store (like this ) 不幸的是，我还没有找到一种方法来将根证书添加到Android设备，而不是生根它并替换证书存储（就像这样）

https means http secure, so it obviously can't be sniffed so easily. https意味着http安全，所以显然不能轻易嗅到它。 what would be the point if it would be the same unsecure thing as normal http? 如果它与普通的http一样不安全，那会是什么意思呢？

you have to learn a bit more about secure network comunications. 你必须学习更多关于安全网络通信的知识。 or, long story short, at least you will have to learn how to use a specilly devised http proxy like charles http://www.charlesproxy.com/documentation/welcome/ so you will be able to monitor you own https traffic in a clear form. 或者，长话短说，至少你将不得不学习如何使用像查尔斯http://www.charlesproxy.com/documentation/welcome/这样的specilly设计的http代理，这样你就可以监控自己的https流量了。清晰的形式。