Master Mobile App Hacking: Intercept Android HTTPS Traffic with Proxyman – A Step-by-Step Guide

Listen to this Post

Featured Image

Introduction

Intercepting and analyzing network traffic from Android applications is a cornerstone of mobile security testing. It allows penetration testers and developers to uncover hidden API endpoints, debug insecure data transmission, and identify vulnerabilities such as cleartext credentials or improper TLS configurations. This article dives into a powerful combination: Proxyman, a native macOS proxy tool, and atlantis-android, an open-source Android app that tunnels all device traffic through Proxyman. Together, they provide a seamless environment for capturing, inspecting, and even modifying HTTP/HTTPS traffic from any Android app, including those that implement certificate pinning.

Learning Objectives

  • Understand how to set up a Man-in-the-Middle (MitM) proxy for Android apps using Proxyman and atlantis-android.
  • Learn to install, configure, and use atlantis-android to route all Android traffic to Proxyman for debugging.
  • Explore techniques to bypass SSL pinning and decrypt HTTPS traffic for comprehensive security analysis.

You Should Know

1. Installing and Configuring Proxyman on macOS

Proxyman is a high-performance, native macOS app that captures, inspects, and manipulates HTTP/HTTPS traffic. It supports advanced features like SSL decryption, request/response filtering, and script injection. Begin by downloading Proxyman from the official website and installing it like any other macOS application. Once installed, launch Proxyman and navigate to Certificate → Install Certificate on this Mac. This installs the Proxyman root CA certificate into your macOS keychain, which is necessary for decrypting HTTPS traffic. Ensure the certificate is marked as trusted for all users. Proxyman will automatically start listening on `localhost:9090` by default (or a configurable port). This proxy endpoint will later receive traffic from your Android device.

Pro Tip: To verify Proxyman is working, configure your Mac’s Wi-Fi proxy to point to `127.0.0.1:9090` and browse to any HTTP site. You should see requests appearing in the Proxyman interface.

2. Preparing Your Android Device for Traffic Interception

Before installing atlantis-android, you need to enable Developer Options and USB Debugging on your Android device. Go to Settings → About Phone → tap Build Number seven times to unlock Developer Options. Then, in Settings → Developer Options, enable USB Debugging. This allows you to use Android Debug Bridge (ADB) commands from your computer. Next, you must install the Proxyman CA certificate on your Android device. Export the certificate from Proxyman: Certificate → Export Certificate… → save it as proxyman-ca.crt. Transfer this file to your Android device (via email, cloud, or adb push). On the device, go to Settings → Security → Encryption & credentials → Install from storage and select the certificate. Name it (e.g., “Proxyman CA”) and set it for VPN and apps. This step is crucial for decrypting HTTPS traffic.

Note: On Android 7.0+, apps that target API level 24+ ignore user-installed CA certificates by default. To overcome this, you must either root the device or use a tool like atlantis-android that can inject the certificate at the VPN level.

3. Installing and Running atlantis-android

Atlantis-android is a VPN-based tool that captures all traffic from your Android device and forwards it to Proxyman. It is available as an open-source project on GitHub. To install it, download the latest APK from the releases page. Use ADB to install it:

adb install atlantis-android-vX.X.X.apk

Once installed, open the app on your device. It will request VPN permission—grant it. The app also needs to know the IP address and port of your Proxyman instance. Ensure your Mac and Android device are on the same Wi-Fi network. In Proxyman, note the IP address of your Mac (e.g., 192.168.1.10) and the proxy port (default 9090). Enter these into the atlantis-android app: Proxy Host = your Mac’s IP, Proxy Port = 9090. Then tap Start VPN. The app will create a local VPN that routes all device traffic through the specified proxy. You should see a persistent notification indicating the VPN is active.

Troubleshooting: If traffic isn’t appearing in Proxyman, check firewall settings on your Mac—ensure that port 9090 is open. Also, verify that the Android device can ping your Mac’s IP.

4. Capturing and Decrypting HTTPS Traffic

With atlantis-android running and the VPN active, open any app on your Android device. You should immediately see HTTP/HTTPS requests appearing in Proxyman’s interface. However, HTTPS traffic will initially appear as encrypted tunnels. To decrypt it, you must ensure the Proxyman CA certificate is trusted on the Android device—which you installed earlier. But there’s a catch: many modern apps implement SSL pinning, where they only accept a specific certificate or public key, ignoring system CAs. To bypass this, you can use additional tools like Frida or Objection. Alternatively, atlantis-android can inject the Proxyman CA certificate directly into the app’s trust store using a technique called certificate injection. This feature is available in the atlantis-android settings: enable Inject CA Certificate before starting the VPN. This injects the certificate into the VPN tunnel, making it appear as a system CA to apps. After enabling this, restart the VPN. Now, HTTPS traffic from most apps will be decrypted and displayed in plaintext within Proxyman.

Example of decrypted request: You’ll see full URLs, headers, and request/response bodies. This is invaluable for spotting hardcoded API keys, insecure data transmission (e.g., sending passwords in plaintext over HTTPS if poorly implemented), and hidden endpoints.

5. Advanced Analysis and Traffic Manipulation with Proxyman

Proxyman is not just a passive sniffer—it allows you to intercept and modify requests on the fly. To enable this, go to Tools → Breakpoints and add a rule for a specific domain or endpoint. When a matching request is made, Proxyman will pause it, allowing you to edit headers, body, or even the response before forwarding. This is extremely useful for testing input validation, parameter tampering, and business logic flaws. For example, you could change a price parameter in an e‑commerce app and see if the backend accepts it. You can also use Proxyman’s Scripting feature to automate modifications using JavaScript. Additionally, the Filter tool helps you isolate traffic from a specific app by filtering on the `Host` header or URL patterns.

Command-line tip: Proxyman can be controlled via its CLI tool, proxymanctl, which allows you to start/stop recording, export sessions, and manage certificates from the terminal. For instance, to export all captured requests as a HAR file:

proxymanctl export --format har --output traffic.har
  1. Handling SSL Pinning: Bypassing with Frida and Objection
    If an app employs robust SSL pinning, atlantis-android’s injection might not suffice. In such cases, dynamic instrumentation frameworks like Frida or Objection come to the rescue. Install Frida on your computer and the Frida server on your Android device (requires root or a rooted emulator). Then, use Objection, a runtime exploration tool built on Frida, to bypass pinning with a single command:
objection -g com.example.app explore --startup-command "android sslpinning disable"

This patches the app’s SSL pinning logic at runtime, allowing your proxy certificate to be accepted. After running this, relaunch the app and you should see decrypted traffic in Proxyman. This technique is widely used in penetration testing, but it requires a rooted device or emulator. For non‑rooted devices, you can use a virtualized environment like Android Virtual Device (AVD) with a custom ROM that permits user certificates.

7. Securing Your Testing Environment and Ethical Considerations

While intercepting traffic is a powerful skill, it must be used responsibly. Always obtain explicit written permission before testing any application you do not own. When performing security assessments, ensure you isolate the testing environment—use a dedicated device or emulator, and never expose the proxy to the internet. Additionally, be aware that some apps may implement certificate transparency or use Google Play Protect to detect tampering. To maintain a clean environment, revert your device to its original state after testing. Proxyman and atlantis-android are tools for debugging and security research; misuse can lead to legal consequences.

Final Step: After your testing session, stop the atlantis-android VPN and remove the CA certificate from your Android device to avoid any lingering trust issues.

What Undercode Say

  • Key Takeaway 1: Intercepting and decrypting HTTPS traffic from Android apps is a fundamental skill for mobile security professionals. The combination of Proxyman and atlantis-android provides a streamlined, user‑friendly approach that eliminates much of the complexity associated with setting up a MitM proxy.
  • Key Takeaway 2: SSL pinning is a common defense mechanism, but it can be bypassed using runtime instrumentation tools like Frida and Objection. Understanding these bypass techniques is crucial for comprehensive security testing.
  • Analysis: The ability to inspect and manipulate app traffic enables testers to uncover vulnerabilities that automated scanners miss—such as insecure direct object references (IDOR), exposed API keys, or sensitive data leaks. However, as mobile platforms evolve, so do anti‑tampering measures. Future Android versions may restrict VPN-based interception or enforce stricter certificate handling, forcing security researchers to adopt even more advanced methods. Nonetheless, the demand for skilled professionals who can navigate these challenges will only grow, making hands‑on experience with tools like Proxyman invaluable.

Prediction

As mobile applications increasingly adopt certificate pinning, network security configurations (like Android’s Network Security Config), and runtime integrity checks, the traditional proxy-based interception will become more difficult. We will likely see a surge in the use of instrumented environments (e.g., custom Android ROMs with modified CA stores) and kernel-level hooking techniques. Simultaneously, defenders will integrate AI-driven anomaly detection to identify and block malicious proxy usage. The cat-and-mouse game between security researchers and app developers will intensify, pushing both sides to innovate. For ethical hackers, staying ahead means mastering not only current tools but also emerging bypass methodologies and understanding the underlying system internals of Android and iOS.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Julian Brazuelo – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky