PCAPdroid-mitm
PCAPdroid-mitm copied to clipboard
emanuele-f
Traffic interception by mitm add-ons does not work in root mode
When the program is enabled in root mode, add-ons loaded into Pcapdroid mitm do not receive requests, this is evidenced by the absence of messages from the program, which are present in normal mode.
Program version: 1.8.3
Code to reproduce the problem:
class Dec: print("START") def request(self, flow): print(flow.request.pretty_url) print(flow.request.url) print(flow.request.headers) def response(self, flow): print(flow.request.pretty_url) print(flow.request.url) print(flow.request.headers) print(flow.response.content) addons = [Dec()]
Result:
Only a message about starting the program
Does it work for you in non-root mode with PCAPdroid 1.8.3? For me it does not work in either mode, I need to check this
Actually this works as expected. I wrongly used www.example.com instead of example.com, this is why it did not work in the first test. You can see here that it works as expected
https://github.com/user-attachments/assets/6db252a8-a1fe-40f8-b49a-8efd07ffadd4
Actually this works as expected. I wrongly used
www.example.cominstead ofexample.com, this is why it did not work in the first test. You can see here that it works as expectedPeek.2025-03-11.09-28.mp4
hello. watch my video, I first try without root rights, then with root rights in google chrome, even though I clear the cache, refresh the page, then when working through a regular vpn, everything works correctly, but when working through root, nothing happens. program version 1.8.3 https://youtu.be/9rYqx2OQhvI
in general, I notice a very strange behavior of programs, as you can see, I constantly have to clear the cache so that the page is updated in normal mode, as for root mode, I managed to change the traffic several times, but it didn't work anymore, it feels like pcapdroid just doesn't catch the necessary requests, loses them somewhere
You should block Quic, which you cannot currently decrypt with mitmproxy. To do so, you should run PCAPdroid in non-root mode and enable the block quick option from the settings. You don't need the root decryption to decrypt browsers like chrome.
Other than this, browser cache also plays a role. You would need to disable caching by modifying requests with specific http headers. You can get an idea from my js_injector plugin https://github.com/emanuele-f/PCAPdroid-mitm/blob/master/app/src/main/python/js_injector.py#L61 however caching still occurred in some cases, so some other headers are probably needed. If you figure out what's missing, please create a pull request with a fix
@emanuele-f This problem is not only with browsers and applications sending QUIC requests, this problem also exists with other applications. I have demonstrated the browser as an example. This is android 13 and I have seen a warning that starting from android 12 it may not work correctly, but I have android 11 where exactly the same problem occurs.
Working in root mode is necessary in order for another vpn to work simultaneously with mitm scripts, which cannot work through root and most sites in my country do not work without vpn. Try to run tests on real applications. Try to take some user application and intercept the necessary request, at least on android 11.
Regarding the root capture, you can try running in a work profile where you can use a second vpn, but it will be limited to the traffic of the work profile.
Stuff related to tls decryption needs to be checked case by case, as there are different laters of protection and possible interference (e.g. caching). This feature in PCAPdroid is provided as a basis, it's up to you to use it effectively based on the specific circumstances. It's not meant (because of time and resources) to be a comprehensive and fully automated solution.
In short, if you want to succeed in this you will need to proceed step by step with increasingly difficult apps to decrypt, taking the time to understand the technologies and tools, removing interference. There is no easy may afaik. From this project point of view, I've showed that this feature works as expected
Ok. But I want to say once again that there are no problems with decryption in the normal mode. This program is losing traffic in root mode.
Root decryption works too, as I showed above. In your case something is interfering with it, due to QUIC or other specific case. To spot the issue, you need to isolate the problem
PCAPdroid cannot intercept root requests on two different devices with different versions of android, including android 11, on which everything should work, in different applications, as well as with different architectures. The application sees the request and does not display it as if there was no data exchange. Have you tried to test this on a real device? video https://youtu.be/sWV2WtqfysI
I've shown it in https://github.com/emanuele-f/PCAPdroid-mitm/issues/21#issuecomment-2713144510 . Real device or emulator does not make a difference here
Probably browser cache https://github.com/emanuele-f/PCAPdroid-mitm/issues/21#issuecomment-2722499084 . If it works when you flush your cache, then this is the reason
the problem with decrypting the request is with all applications, not just browsers, and it's not about the cache.
Maybe you can try with termux as I showed above, it's a quick test. You should try debugging this, by running mitmproxy on a pc (see https://emanuele-f.github.io/PCAPdroid/tls_decryption#35-decrypting-via-an-external-mitmproxy) and tracing the http requests flow in the mitmproxy code, until you spot the cause
how can I track a request if, when root mode is enabled, the ability to redirect traffic to the mitmproxy computer is disabled?
watch this video: https://youtu.be/GPdosXuY5Z0 here I am trying to send requests from termux to various subdomains of the example site (changing the page only for .com) and I'm trying to decrypt them in pcapdroid, please note that decryption does not happen the first time, even for the com domain, and it takes many attempts before the connection is decrypted and can be changed. can you try sending requests not only from the domain https://example.com , as well as from domains https://example.com/, https://example.net , https://example.net/, https://example.org , https://example.org/ and see if each connection has been decrypted or changed?
No need to ping, I receive notifications, I just need to reserve some time for this testing.
It works correctly for me, as you can see here. All the requests are decrypted.
https://github.com/user-attachments/assets/022b509d-3d34-4dda-aea9-709619d04a24
Again, there is something wrong happening on your side, but I cannot tell what. To solve this you need to dig deeper by following the requests in their way to the mitmproxy
Some notes:
- in the app filter on the main PCAPdroid screen, remove all the apps except termux, and see how it works
- the connections decrypted are generated by the PCAPdroid mitm app, so you can just search "mitm" in the connections view
- this is implemented via an iptables rules based on the target apps UIDs. So all the target apps connections will be sent to mitmproxy, there is no exception to this
to be more sure, I checked it on a third device with root rights running android 8.1 go using termux, the result is identical: one decrypted request out of 6. where am I doing something wrong? can you send your full settings to pcapdroid? and how can I track what happens if half of the functions don't work in root mode?
I also noticed that all of your decrypted requests come from the radio 0 interface, while my only decrypted request is wlan0.
You should build the app from the source and look at the code, it's not something you can figure out at an higher level. The interface does not matter, it's wlan if you are connected to the wifi
is this the only difference that I see, that there is a problem specifically on the wlan0 protocol? can you try to run a test on a real device where this interface will be? I think this will give you more answers, since after all, an emulator is more of a laboratory environment, and a real device has its own firmware and other features. I studied the network using pcapdroid, it was my only good tool, but now that this tool has broken for me, I won't be able to understand or learn anything at all, that's why I want you to be able to detect this problem. please try a real device or try switching the interface in the emulator to wlan0 to make sure that this is not the problem.
https://youtu.be/4KE42UYNa8M I tried to check this in android studio emulator on android 8.1 x86 version with root and indeed all connections were decrypted and even through the wlan0 interface. could there be a problem with decryption on arm systems? Do you have the opportunity to test on an arm system?
is this the only difference that I see, that there is a problem specifically on the wlan0 protocol
wlan0 or the radio interface does not make a difference; for routing in linux, they are just network interfaces
an emulator is more of a laboratory environment, and a real device has its own firmware and other features
same here
I won't be able to understand or learn anything at all, that's why I want you to be able to detect this problem
investigating this issue would be a learning experience too
could there be a problem with decryption on arm systems? Do you have the opportunity to test on an arm system?
Since this seems the only discriminating factor, this could be the case. Do you mean aarch64 or arm 32-bit? I remember it worked correctly on aarch64