> For the complete documentation index, see [llms.txt](https://nightowl131.gitbook.io/aapg/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://nightowl131.gitbook.io/aapg/manual-dynamic-analysis.md). # 3. MANUAL DYNAMIC ANALYSIS ## PROXY SETUP * Install [Burp-Suite](https://portswigger.net/burp/communitydownload) (**recommended**) ### AVD || rooted devices * Cert installation: * [BEFORE Android 7 (Nougat)](https://support.portswigger.net/customer/portal/articles/1841102-installing-burp-s-ca-certificate-in-an-android-device) * [Android 7 or higher](https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/) * Proxy setup: * [Virtual device](https://developer.android.com/studio/run/emulator-networking#proxy) * [Physical phone](https://www.howtogeek.com/295048/how-to-configure-a-proxy-server-on-android/) ### Additional tools * [Install drozer on host & phone](https://labs.mwrinfosecurity.com/tools/drozer/) * [Android SDK](http://www.androiddocs.com/sdk/installing/index.html) * adb might be located @ *Android/Sdk/platform-tools/* (*Linux*) ### Do they work? #### **adb** *list devices:* ``` adb devices ``` *port forwarding for drozer client:* ``` adb forward tcp:31415 tcp:31415 ``` #### **drozer** *list available drozer clients* ``` drozer console devices ``` *connect to drozer client and end up in drozer-shell: "**dr>**":* ``` drozer console connect ``` ## PROXY-AWARE APPS - SETUP ### Xamarin add the following code in the OnCreate or Main method ``` WebRequest.DefaultWebProxy = new WebProxy("", ); ``` ### Traffic routing (remotely sniff via netcat) ``` tcpdump -i -s0 -w - | nc -l -p 11111 ``` ``` adb forward tcp:11111 tcp:11111 ``` ``` nc localhost 11111 | wireshark -k -S -i - ``` {% hint style="info" %} Downside - if **HTTPS**, you are not able to see any request bodies {% endhint %} ### Man-in-the-Middle w/ bettercap *(command may defer due to bettercap version)* ``` sudo bettercap -eval "set arp.spoof.targets ; arps.spoof on; set arp.spoof.internal true; set arp.spoof.fullduplex true;" ``` ### Redirect with iptables ``` iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination :8080 ``` *verify iptables settings* ``` iptables -t nat -L ``` *iptables config:* ``` iptables -t nat -F ``` ### WHY? {% hint style="info" %} * In case of **XAMARIN** (ignores system proxy - not always! give it a try before you cry) * **Other** **protocols** are used (XMPP or other non-HTTP) * To intercept push notifications * The app itself verifies the connection and refuse {% endhint %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://nightowl131.gitbook.io/aapg/manual-dynamic-analysis.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.