I always used charles for this kind of traffic inspection but HTTPS would be an obstacle. Unfortunately you can add certificates to Android but won’t be used by all apps so it’s kind of pointless. Sometimes you are very lucky and the developer just check that there’s someone responding with a valid certificate without actually validating it.
All the HTTP and HTTPS traffic will be intercepted (and, if neeeded, modified) by bettercap. If the app is correctly using public key pinning (as every application should) you will not be able to see its HTTPS traffic but, unfortunately, in my experience this only happens for a very small number of apps.
I don’t really like pinning for websites but maybe it’s the right choice for apps?
I always used charles for this kind of traffic inspection but HTTPS would be an obstacle. Unfortunately you can add certificates to Android but won’t be used by all apps so it’s kind of pointless. Sometimes you are very lucky and the developer just check that there’s someone responding with a valid certificate without actually validating it.
I don’t really like pinning for websites but maybe it’s the right choice for apps?