How to Inspect & Modify HTTP Traffic from Android Apps

Requestly is a popular open-source developer tool to inspect and modify traffic from your browsers, android apps, iOS apps, etc.

In this blog post, I’ll walk you through how you can use Requestly to inspect network traffic, simulate API failures and redirect API calls on Android apps.

Setup

To connect your Android device with the Requestly desktop app, follow these steps

  1. First, Install the desktop app from the Requestly Downloads page
  2. Once installed, open the Requestly desktop app and click on Connect apps
  3. Then, choose the Mobile apps and browsers section.
  4. Then, choose the Android External Device option and click on Setup Instructions

Step 1: Set up Proxy

Let’s first configure a manual proxy for our WiFi on our Android Device with the below steps 👇

  1. Open your WiFi settings and go to the currently selected WiFi.
  2. On the top right, you should see an option to edit the settings. Click on the edit icon.
  3. Next, you should see a list of settings for your current WiFi. We want to set a manual proxy for this WiFi, so select the “Manual” option under the “Proxy” option.
  4. Add the Host and Port as suggested by the Android Setup guide on your Requestly app.

Here’s the step-by-step demonstration on an Android device 👇

If you’ve done the above steps correctly and configured a proxy successfully, you should see the following page when you visit the URL http://amiusing.requestly.io/ (Please note HTTP and not HTTPs here) on your device.

Now that you’ve installed a proxy on your device, and you can listen to HTTP(s) traffic, let’s add a certificate on your device so that you can also listen to HTTPs traffic.

Step 2: Generate and add Certificate on Android Device

Follow these steps to generate and add a certificate on your Android device.

  1. Visit the URL http://requestly.io/ssl (Please note HTTP and not HTTPs). Once you do that, an RQProxyCA.pem.cert will be downloaded for you automatically.
  2. Then go to the Security and Lock Screen section of your device settings.
  3. Then, head over to the Encryption and Credentials section
  4. Choose the Install a certificate option. Select the downloaded certificate and choose Install anyway .

Once you do that, the certificate will be installed on your device. Here are the above steps on my device:

Step 3: Verify Certificate Installation

Let’s also check if the certificate was successfully installed on the device or not.

  1. Go back to the “Encryption and Credentials” section.
  2. Click on the “Trusted credentials” section
  3. Switch to the “USER” tab and you should see the “RQProxyCA” certificate installed as shown below:

Great, you’re all set up now. Let’s inspect the popular app AirBnb’s traffic on Requestly.

Inspecting Traffic from the Airbnb Android app

Launch the AirBnb app and head back to Requestly. You should start seeing all the Airbnb traffic on Requestly:

As you can see, all the API calls made by the Airbnb app to its server appear here. You can view any specific API call, observe its response and headers, and even modify the response.

On the Airbnb homepage, I see a listing on the top and when I click on this listing, it takes me to the details page of a particular listing.

If you head back to Requestly, you can easily set some filters and inspect the responses to narrow down which API is responsible for getting this data:

We can now find out the exact property name responsible for populating the title of that listing on the detail page and modify its value.

Modifying/Overriding API Responses in Android app

Requestly allows you to modify API responses on the fly, enabling you to simulate different scenarios and test your app’s behavior. Let’s modify the response of the API we just saw in the previous section which is responsible for getting the details of the listing.

Right-click on the API request and select Modify Response Body

Then, under the Static Data option of the Response Body section, find the property name that you need to modify. In this case, it was the “title” property under an object. The response object is quite complex and also deeply nested but luckily I can simply search for any property name or value that I need to update or modify in the response.

I’m going to change the “title” from “Mortlake” → “Mortlake View Bnb”.

The Airbnb listing is updated with the new title! Thus we’ve modified the response of this API. You can also check the modified response on the API itself:

SSL-Pinning

It’s important to note that the Requestly desktop app does not offer SSL pinning capabilities. If the app you’re testing has SSL pinning, Requestly may not be able to intercept and modify its traffic. In such cases, additional measures or alternative tools may be required for testing.

An alternative tool that can help you with this is Frida. It is a dynamic instrumentation tool that can be used to inject custom code into mobile apps. With Frida, you can bypass SSL pinning in the app and capture its network traffic for analysis.

Conclusion

By incorporating Requestly into your Android app development toolkit, you can inspect and modify HTTP traffic with ease. Requestly enables you to gain valuable insights into app behavior, simulate various scenarios, and test your app’s resilience to different network conditions. With its user-friendly interface and powerful features, Requestly helps you streamline your development workflow and deliver high-quality Android apps.

This article was written by:

Siddhant Varma

Siddhant Varma

Siddhant is a technology-agnostic engineer passionate about creating utility-rich and user-friendly software. I love sharing my learning about new tools, frameworks and technologies with the developer community.

Share this article:

You may also like