0

I'm developing an Android application, it is like a browser, has a web-view and sends http(s) requests. For debugging purpose, I want to be able to see the requests sent and received by the application (in particular the headers), but I'm unable to do so.

What i tried

  • I mainly debug the app with Chrome on PC, and use the Network Inspector in Chrome. The problem is that my app uses the ShouldInterceptRequest to intercept the requests an then manually sends a request with cronet. Chrome, in this case, shows some "provisional headers" that are from the original request, an not the headers of the actual request i sent manually.
  • I tried to use Fiddler and HTTP Toolkit, but the server I'm communicating with, doesn't like the certificate they use, so they can monitor correctly, but, if active, i cannot reach the page i need to monitor.
  • I also tried the Android Studio network inspector, but seems it work only for HttpURLConnection and Okhttp(1)

Thanks for your time.

Marco
  • 1
  • 3
  • Certificate issues with HTTP Toolkit will almost always be due to checks by the client, not the server. You can usually fix them by using a rooted ('Google APIs' not Google Play') emulator. – Tim Perry Jun 16 '22 at 07:45
  • Seems an intresting option. But the problem is just with that particular website, and not all websites. Anyway do you have a link to show a more detailed procedure for what you descibed? – Marco Jun 16 '22 at 22:22
  • For a general emulator interception walkthrough, see https://httptoolkit.tech/blog/inspect-any-android-apps-http/. If it's only some specific traffic though, this is probably due to certificate pinning. You can fix that with Frida, see the guide here: https://httptoolkit.tech/blog/frida-certificate-pinning/ – Tim Perry Jun 17 '22 at 09:43
  • Ok, i will check them, and see, thanks – Marco Jun 18 '22 at 10:02
  • @TimPerry ah! The second links seems to me that is focused on apps that you didn't develop, i will try that method anyway, but i want to clarify that is not the app being strict, but the server. The app is mine and i can control it, it sends the request to the server, and i can see it, but that particular server returns an html reponse saying "i think you are a bot" (if i use http toolkit). Would the link work for that too? – Marco Jun 18 '22 at 10:34
  • Ah yes - that's harder. That's not a certificate error, but yes servers with strict anti-bot detections will fire this with tools like HTTP Toolkit and others. That's a hard problem I'm afraid, and probably rules out all normal MitM proxy-style HTTP debugging options, sorry. – Tim Perry Jun 20 '22 at 11:32

1 Answers1

0

If you're using a WebView, set a custom WebViewClient and override shouldInterceptRequest. That will pass in a WebResourceRequest object that will include all headers.

Gabe Sechan
  • 90,003
  • 9
  • 87
  • 127
  • No, that object doesn't generally have all headers. At least that's what i got from tests. Seems that some headers are added after the should intercept request. – Marco Jun 15 '22 at 15:12
  • If you're sending the actual request via cronet (which why you'd do that I have no idea, sounds like a horrible architecture), then it woul be cronet adding any other headers. You'd need to look there. Or you know, not use a second HTTP stack for unknown reasons. I can't image that being anything but a massive stack of bugs caused by that architecture. – Gabe Sechan Jun 15 '22 at 15:30
  • I do that because I need to modify the web page that I'm loading, and that's the only way i found to to it. The problem at that point is "how do i find the final header of the request sent by cronet?" I think the problem is the same that with the WebResourceRequest headers, there are request headers, but the sent one are different. Anyway, being able to read the full headers also for the normal request without cronet would be an improvement, still your suggestion isn't enough. – Marco Jun 15 '22 at 16:06