Android Sniffing on Ubuntu with mitmproxy
This guide walks you through setting up an Android emulator on Ubuntu, installing a custom CA certificate, and using mitmproxy to intercept traffic. It also includes an optional Python addon for enhanced output filtering.
๐ Prerequisites
- Ubuntu 22.04+
- Docker (for running mitmproxy)
- Android Studio (for emulator and ADB)
- CA certificate (
ca.crtandca.pem) placed in the./certs/folder- Generate with
./scripts/create-cert.shif you donโt have one
- Generate with
๐ Install Android Studio & SDK
Install Android Studio via Snap:
$sudo snap install android-studio --classic
Launch Android Studio and follow the initial setup to install the SDK and platform-tools.
Tip: Install the SDK under
~/.android/Sdkfor consistency.
๐ฅ๏ธ Create an Emulator
- Open AVD Manager (Virtual Device Manager).
- Click Create Virtual Device.
- Choose a device (e.g., Pixelย 6 Pro) without Google Play Store.
- Select a system image with APIย 28 (Androidย 9 Pie) or lower to allow system CA installation.
๐ง Prepare the Emulator
(Optional) Disable Quickboot file-backed feature Reddit Source - fixes BTRFS issues:
$echo "QuickbootFileBacked = off" >> ~/.android/advancedFeatures.ini
List available AVDs:
$~/.android/Sdk/emulator/emulator -list-avds
Start the emulator with root access and writable system:
replace
<AVD_NAME>
$~/.android/Sdk/emulator/emulator \
-avd <AVD_NAME> \
-writable-system \
-no-boot-anim \
-gpu host \
-cores 4 \
-memory 4096
Restart ADB as root and remount:
$~/.android/Sdk/platform-tools/adb root
$~/.android/Sdk/platform-tools/adb remount
๐ Install the CA Certificate
Push your custom CA into the emulatorโs system trust store:
$HASH=$(openssl x509 -inform PEM -subject_hash_old -in certs/ca.crt | head -1)
$~/.android/Sdk/platform-tools/adb push certs/ca.crt "/system/etc/security/cacerts/${HASH}.0"
$~/.android/Sdk/platform-tools/adb reboot
$~/.android/Sdk/platform-tools/adb wait-for-device
๐ฑ Install the Target App and Proxy App
1๏ธโฃ Install Ecovacs Home App
Download and install version 2.4.1 of the Ecovacs Home APK:
If you want to try reversing newer app versions, you'll need to unpin the certificate. See Defeating Certificate Pinning for instructions.
$~/.android/Sdk/platform-tools/adb install <path/to/Ecovacs_Home_2.4.1.apk>
Tip: Drag-and-drop the APK onto the emulator window.
2๏ธโฃ Install SOCKS5 Proxy App
Install a SOCKS5 proxy client (e.g., Super Proxy):
๐ Configure Proxy on Android
In the emulatorโs network or proxy app settings:
- Protocol: SOCKS5
- Host:
<YOUR_SERVER_IP> - Port:
1080
This routes all emulator traffic through mitmproxy.
โ๏ธ Run mitmproxy in Docker-Swarm
From your project root:
NOTE: i run my projects in
swarm mode, mitm will be started with pre-defined configs insidedocker-compose-mitm.yaml
$docker compose -f docker-compose-mitm.yaml --compatibility config | \
sed 's|cpus: \([0-9]\+\(\.[0-9]\+\)*\)|cpus: "\1"|' | \
sed '1{/^name:/d}' | \
sed 's/published: "\(.*\)"/published: \1/' | \
sed 's|mode: "\([0-9]\+\)"|mode: \1|' | \
docker stack deploy --resolve-image=never --with-registry-auth --detach=false --compose-file - mitm
Access http://localhost:8081 to inspect traffic.
๐ณ Alternative: Local mitmproxy Docker Run
From your project root (where ./certs/ca.pem lives):
$docker run --rm -it --network host \
-v $PWD/mitm:/home/mitm:ro \
-v $PWD/certs/ca.pem:/tmp/ca.pem:ro \
mitmproxy/mitmproxy mitmweb \
--web-host 0.0.0.0 \
--mode socks5 \
--showhost \
--rawtcp \
--ssl-insecure \
--certs '*=/tmp/ca.pem' \
--set connection_strategy=lazy
Access http://localhost:8081 to inspect traffic.
๐ Optional: Python Script Filter
Use the Python addon at ./configs/mitm.py to filter or transform flows:
$docker run --rm -it --network host \
-v $PWD/mitm:/home/mitm:ro \
-v $PWD/certs/ca.pem:/tmp/ca.pem:ro \
-v $PWD/configs/mitm.py:/tmp/mitm.py:ro \
mitmproxy/mitmproxy mitmweb \
--web-host 0.0.0.0 \
--mode socks5 \
--showhost \
--rawtcp \
--ssl-insecure \
--certs '*=/tmp/ca.pem' \
--set connection_strategy=lazy \
-s /tmp/mitm.py
Access http://localhost:8081 to inspect traffic.
๐ ๏ธ Troubleshooting
- SSL errors: Verify the CA hash and placement.
- Emulator wonโt root: Use APIย 28 or lower with
-writable-system. - App 2003 errors: Launch the app once without proxy to fetch initial data.