In my post I will present 3 different methods I used to understand the network behavior (the focus is on network analysis, nothing more) of an Android application I analyzed:
using an HTTPS interception proxy;
MITMing the network traffic;
profiling the application with Android Studio.
Everyone can use the method they want (some simply may not work in your scenario), the results of the analysis are the same; the method you’ll choose depends on the scenario you are testing, the software you are used to working with and so on. Consider that the first two methods can be used to inspect the traffic from any application/program/device, not only an Android application.
Squid can be configured to make SSL/TLS inspection (aka HTTPS interception) so the proxy can decrypt proxied traffic (Squid calls this feature ssl bump).
Afaik the Squid package included in the Linux distros is not compiled with SSL/TLS inspection support but the good news is that diladele (its github repo and Websafetydocumentation are useful resources) provides packages for Ubuntu and Centos, recompiled (you can do by yourself) with support for HTTPS filtering and SSL/TLS inspection. This means that we have just to configure Squid. Not an easy task anyway 🙂
I provide to you a working config, follow next steps.
In this post I just show what domains you need to enable to authorize access to telegram and whatsapp web sites behind your corporate proxy. This is useful when you need to allow – like me – just a subset of your users to access it.
One of the problems I encountered in my job is to get syslog (udp/514) logs from a server that support only one syslog destination and resend these logs to two or more servers (log archiving, security appliance etc).