0

i want to know how to detect the URL an android app uses. Is there any way or can we create any other android app to find the URL my app is using.

user76018
  • 1
  • 1
  • 1
  • 1
  • that does not provide any solution to the problem. It contains only how to hide the URL – user76018 May 07 '15 at 09:34
  • I think [this answer](http://security.stackexchange.com/a/22796/5405) there does answer your question. Another option is to decompile the application, but that may violate laws and/or user agreements. – S.L. Barth May 07 '15 at 09:39

1 Answers1

2

The easiest way to do this is to run a debugging/security web proxy like Burp Suite, Charles, or Fiddler on a machine, and then set the Android phone to use that proxy. Most apps will obey the device proxy rules, and you can see the host and, if not using HTTPS, the full URL.

If it is using HTTPS, you will also need to install the proxy's own certificate on the phone to enable it to man-in-the-middle the connection. Some apps use certificate pinning to make this harder.

Alternatively, use a technique to enable you to sniff the traffic with Wireshark. Frequently I use a hostapd based AP using a USB wireless dongle to do this. Again, HTTPS makes this more awkward.

If neither of these work, you can retrieve the app from the device and then decompile it and find any strings or URLs in there.

Cybergibbons
  • 1,201
  • 2
  • 9
  • 21
  • Thanks for the solution but i was expecting that will it be possible thorough any android application or by coding an app of our own. If yes then how will this app retrieve the information of the server URL – user76018 May 07 '15 at 09:23
  • 3
    @user76018: "i was expecting that will it be possible thorough any android application or by coding an app of our own" -- fortunately, no, for blindingly obvious privacy and security reasons. – CommonsWare May 07 '15 at 10:53
  • You could also perform static analysis on the binary. The URL will generally be present in the strings.xml files, however, the app could also hardcode the URL or generate it dynamically. – amccormack May 07 '15 at 17:49