Using mitmproxy to capture mobile app packets

At work, you often need to capture network traffic from mobile apps. For example, if an image is inaccessible only on the mobile app but works fine on the web, you need to capture packets to quickly identify the cause of the problem. A common approach is to install packet capture software on your computer to act as a proxy, then connect your phone to this proxy. This will allow network traffic from your phone to pass through the capture software, allowing you to capture and analyze the packet details. Mastering the details of network traffic is like using Chrome's debugging tools, making everything visible.

Common packet capture software includes Charles, Fiddler, and Wireshark. Charles and Fiddler are both paid software, while Wireshark is suitable for lower-level network traffic analysis. This article recommends mitmproxy, which is open source (MIT License) and sufficient for free. According to its GitHub contribution log, this software only became active in 2016.

It's worth mentioning the name. "mitm" stands for "man-in-the-middle attack," and "proxy" stands for "proxy." Combining them together, "mitmproxy," makes it easier to remember.

1. Installation

• The simplest installation method, since it's written in Python, can be installed directly using pip (pip installation is recommended for ease):

1pip install mitmproxy

• Other installation methods:

Refer to the official documentation at https://docs.mitmproxy.org/stable/overview-installation/

Linux users can download the compressed package directly from the official website and unzip it.

2. Introduction

After installation, it includes three tools:

• mitmproxy provides an interactive command-line interface

The command-line interface (CUI) allows you to perform various operations in the terminal.

• mitmweb provides a browser-based GUI

A web-based graphical interface, similar to Chrome's debugging interface. For those who dislike command-line interfaces, I recommend this.

• mitmdump provides non-interactive terminal output

A command-line tool, similar to tcpdump

3. Setting up the packet capture environment

Environment diagram:

Start mitmproxy or mitmweb on your computer by directly entering the command. By default, it listens on all network interfaces, port 8080:

1➜ ~ ss -lnt |grep 8080
2LISTEN 0 100 0.0.0.0:8080 0.0.0.0:*
3LISTEN 0 100 [::]:8080 [::]:*

Mobile connection On Wi-Fi, find the proxy settings and enter your computer's IP and port. This means that when your phone accesses the internet, traffic will go through the proxy (i.e., the IP:port service on your computer), allowing the proxy software to resolve and process it.

Key Point

Most mobile apps now use HTTPS, which involves the issue of trusting certificates. For example, after setting up the proxy on Wi-Fi, visit mitm.it in your browser and follow the instructions on the page to download the certificate for the corresponding platform.

After installing the certificate (if you don't know how to install it, search online), be sure to note that newer versions of iOS also require full trust (this step is crucial; go to Settings > General > About > Certificate Trust Settings). The English instructions are as follows:

On recent iOS versions, you also need to enable full trust for the mitmproxy root certificate:

Go to Settings > General > About > Certificate Trust Settings. Under “Enable full trust for root certificates”, turn on trust for the mitmproxy certificate.

Without this setting, some HTTPS traffic may not be analyzed, the certificate verification during the handshake phase may fail, and the connection will be disconnected.

After setting up the environment, you can start packet capture. Open the target app on your phone and click it. The capture software will refresh the packet list.

Three examples are shown below:

• mitmproxy

To start, simply enter the command:

1mitmproxy

The command line interface is shown in the figure, capturing Bilibili.

The top shows the message information, and the bottom shows the command prompt. Navigating the message column seems to support Vim shortcuts (such as gg G). Press Enter to enter the details page, and q to exit. Mouse clicks are also supported; it takes a little practice to figure it out, so I won't explain it further.

• mitmweb

To start, simply enter the command:

1mitmweb

A browser tab will open directly, capturing WeChat messages on your mobile phone.

Click the message column, and the right side will display information such as request headers and return messages.

• mitmdump

This looks similar to tcpdump, but I haven't used it yet. If you need it, please consult the official documentation.