[jumpkickhit]

Did you packet sniff what is being sent out? Or do you have some intermediary running on the device itself?

Just curious if it was difficult to do. If more people knew how to, maybe this sort of activity wouldn't sneakily happen as often.

[tomtalks]

Unless an android app uses certificate pinning (https://security.stackexchange.com/questions/29988/what-is-c...), it is usually trivial to MITM its traffic passing through your phone.

Provided you own and have physical access to your phone, you can use any number of proprietary/open free/costly tools to do so. (E.g Fiddler http://www.telerik.com/fiddler, Burp https://portswigger.net/burp/ and mitmproxy https://mitmproxy.org/)

In this case I used fiddler, all I had to do generate a custom root certificate (Be warned this is not a good idea in general, look up super fish if you want an example of why installing custom root certificates can be bad), install that certificate on my device and then proxy my device through the computer running fiddler.

This process is far better documented here http://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/Conf... if you need any more help or advice let me know

[BoorishBears]

I recall older versions of one of those (forget which) generated a non-unique custom certificate, meaning anyone who had used it could be MITM'd with the same cert. It was changed later on, but it's a risk if you go with something poorly designed.

[pyrophane]

Not the above commenter, but here is a good summary of several ways it is possible to do this: http://stackoverflow.com/questions/9555403/capturing-mobile-...

I have used the approach of installing wire shark on a pc operating as an access point, and it was easy enough to set up assuming you have the requisite equipment.

[tmpethick]

This kind of interception is quite easy to setup with https://mitmproxy.org even for https requests and on iOS as well. (I'm not affiliated but have just used the software before for a similar task)

[jumpkickhit]

Wow, thanks for all the replies!