Connection errors when inspecting network traffic of Android mobile game with HTTP Toolkit

Question

I wanted to spy the network traffic of the android game "State of Survival". I have installed it on an android emulator and it works but when I start the HTTP toolkit the game is disconnected and as long as HTTP toolkit is running the game can't connect to the server. I was wondering what could it be?

I can imagine that the game uses a web socket. Does HTTP toolkit support it?

Or maybe the game uses pinned certificates and it doesn't work with HTTP toolkit.

Is there a way to find out the problem and solve it? If not, is there another tool to spy the network traffic of android mobile games?

Answer 1

HTTP Toolkit does support WebSockets (although read-only, for now - you can't define rules to rewrite them). There are many other similar tools you can try, but all HTTPS proxy tools will face exactly the same problems here, so if your setup doesn't work with HTTP Toolkit then it very likely won't work with any other tools either.

For issues in Android apps like this, there's three likely causes:

• It could be that your device doesn't have the CA installed as a system certificate. Does the HTTP Toolkit Android app show 'System interception' as being enabled? If not, then your emulator isn't allowing root access, or the automated certificate injection is failing, which will cause issues like this. You'll need to use a 'Google APIs' emulator (not 'Google Play') or some other emulator that allows root access via ADB (either via adb root or su).
• Is the app using certificate pinning? If you have installed system certificates, the app still can't connect, and you can see 'Certificate rejected' or 'Connection reset' for the app's domains showing up in HTTP Toolkit, then this is likely. You can work around this, but it's more difficult, and you'll need to use a tool like Frida or apk-mitm. There's a guide for Frida here: https://httptoolkit.tech/blog/frida-certificate-pinning/.
• It could be that the app uses some other non-HTTP protocol entirely. You'll be able to see this in HTTP Toolkit, which will typically show many garbled requests and errors for this traffic. In this case, no HTTP proxy will work, and you'll need to use something like Wireshark to analyze the low-level traffic directly. This is more complicated, requires a lot more manual setup, and only allows viewing traffic - not modifying it. If the app uses TLS or similar in its protocol, this may require major manual reverse engineering to retrieve connection key log data to be able to even view this traffic.