Proxy Android Apps Communication via USB

Using a combination of adb and SSH is possible to proxy all the communication via USB (Although we still need a wifi connection, so that is possible to define a proxy).

@hdontwit came up with this setup for iOS, so I tried to implement the same thing in Android.

First we need to configure the SSHd on the device. These instructions apply to LineageOS but are probably similar in other roms:

1- Mount the / as rw

mount -o rw,remount,rw /

2- Generate a keypair that will allow to connect via SSH:

/system/bin/ssh-keygen

This will generate a keypair and save it in the defined location.

3- Generate host keys:

/system/bin/ssh-keygen -A

4- Add the public key to the sshd authorized_keys

cat <previousSavedPath>/id_rsa.pub >> /data/ssh/authorized_keys

5- Confirm the existence of sshd_config in /data/ssh/sshd_config or create a new one with the following settings:

ListenAddress 127.0.0.1

Protocol 2

HostKey /data/ssh/ssh_host_rsa_key

LoginGraceTime 2m

PubkeyAuthentication yes

AuthorizedKeysFile /data/ssh/authorized_keys

PasswordAuthentication no

AllowAgentForwarding yes

AllowTcpForwarding yes

GatewayPorts yes

UsePrivilegeSeparation no

6- Start the SSHd

/system/bin/sshd &

7- Copy the private key to your host to use for connecting to SSHd

adb pull /<previousSavedPath>/id_rsa device.priv

8- Ajust the private key permissions

chmod 600 device.priv

9- Forward a custom port to the SSH port in the device

adb forward tcp:2222 tcp:22

10- Connect via SSH forwarding the port 8080 on the device to the port 8080 in our host where the proxy is running (ex: Burp Suite)

ssh 127.0.0.1 -p 2222 -i device.priv -R 8080:localhost:8080

With the SSH connection established, now all you need to do is set the Android device system proxy to 127.0.0.1 in the 8080 port.

comments powered by Disqus