#Mobile terminal environment configuration and packet capture basics

To crawl App data, the first step is to see clearly what is transmitted between the App and the server. This is inseparable from a stable and easy-to-use debugging environment and packet capture tool chain.

This article will take you step by step to build your own App packet capture environment from the four dimensions of environment selection→core commands→packet capture configuration→anti-capture breakthrough.

#1. Mobile debugging environment: simulator or real device?

There is no need to worry about choosing an environment. Each of the two options has clear usage scenarios:

Suggestion: Use the simulator directly for daily development and learning. It has low cost, full authority and the highest efficiency.

#1.1 Quickly connect ADB to mainstream simulators

After selecting the simulator, the first step is to use ADB to "bind" the PC and the simulator together:

# 先确认 ADB 版本（Android SDK Platform-Tools 已装好）
adb version

# 常用模拟器的默认端口（多开时端口会递增，例如雷电第二个实例为 5557）
adb connect 127.0.0.1:5555   # 雷电模拟器
adb connect 127.0.0.1:62001  # 夜神模拟器
adb connect 127.0.0.1:7555   # Mumu 模拟器

After the connection is successful, executeadb devicesYou will see the device status:

List of devices attached
127.0.0.1:5555    device

#2. Commonly used ADB commands: ten commands for daily development

ADB is a communication bridge between PC and Android devices. The following commands cover 99% of daily needs. There is no need to memorize them by rote. Just check back when you need them.

#Connection and status

# 重启 ADB 服务，解决“找不到设备”的经典问题
adb kill-server && adb start-server
adb devices    # 确认设备状态：device=正常，offline=重连

#Application management

# 列出第三方应用包名，快速找到目标 App
adb shell pm list packages -3

# 安装与卸载
adb install -r <APK文件路径>   # -r 表示覆盖安装
adb uninstall <包名>           # 想保留数据可以加 -k

#File transfer

# 将证书、脚本等推送到手机的 /sdcard 目录（兼容性最好）
adb push <本地文件> /sdcard/

# 从手机拉取文件到当前目录
adb pull /sdcard/<文件路径> ./

#Common debugging techniques

# 一键截图并保存到本地
adb shell screencap /sdcard/tmp.png && adb pull /sdcard/tmp.png . && adb shell rm /sdcard/tmp.png

# 强制杀掉 App，抓包前清缓存
adb shell am force-stop <包名>

# 使用 monkey 命令启动指定 App
adb shell monkey -p <包名> -c android.intent.category.LAUNCHER 1

#3. Mainstream packet capture tools: choose one of the three

The core principles of all packet capture tools are similar: Set the Wi-Fi proxy on the mobile phone to PC → The tool intercepts traffic → The tool uses its own CA certificate to "pretend" to the server to communicate with the App, thereby enabling clear text viewing of requests and responses.

Depending on the operating system and requirements, you can choose:

#3.1 Mitmproxy: The most suitable tool for Python packet capture

Mitmproxy has three startup methods. When you first start, you can play with the Web interface (mitmweb) first, and then use script mode to automate processing after you are familiar with it.

#Step one: Installation and startup

# 使用 pip 一键安装（需 Python 3.8+）
pip install mitmproxy

# 启动 Web 界面（代理端口 8080，Web 控制台端口 8081）
mitmweb -p 8080 --web-host 0.0.0.0

#Step 2: Simulator configuration agent (taking Thunderbolt as an example)

1. Open the emulator设置 → WLAN → 长按已连接的 WiFi → 修改网络
2. Agent selection手动, the server fills in the LAN IP of the PC (for WindowsipconfigView, for Mac/Linuxifconfig）
3. Fill in the port8080, save and open the browser to accessmitm.it
4. Follow the prompts to download and install the certificate (Android 7.0+ must install the certificate in the system area, see Section 4 for details)

#Step 3: Write a script to automatically save the JSON response

Many App APIs return JSON, which we can automatically intercept and save with a few lines of code:

# save_json.py
from mitmproxy import http
import json
import os
from datetime import datetime

OUTPUT = "app_json_data"
os.makedirs(OUTPUT, exist_ok=True)

def response(flow: http.HTTPFlow):
    ct = flow.response.headers.get("Content-Type", "")
    if "application/json" not in ct:
        return

    try:
        ts = datetime.now().strftime("%Y%m%d_%H%M%S_%f")
        domain = flow.request.host.replace(".", "_")
        filename = f"{OUTPUT}/{ts}_{domain}.json"

        with open(filename, "w", encoding="utf-8") as f:
            json.dump({
                "url": flow.request.pretty_url,
                "method": flow.request.method,
                "response": json.loads(flow.response.text)
            }, f, ensure_ascii=False, indent=2)
    except Exception as e:
        print(f"保存失败: {e}")

Start script mode:

mitmdump -s save_json.py -p 8080

#4. Counter packet capture: certificate locking and bypass techniques

HTTPS encryption will bring two thresholds for packet capture. Fortunately, there are ready-made solutions for each.

#4.1 Install the certificate to the system area

Starting from Android 7.0 (API 24), the App only trusts the CA certificate pre-installed by the system by default, and the certificate installed by the user will be ignored, so the Mitmproxy certificate must be flashed into the system area (ROOT permissions are required).

# 1. 进入 Mitmproxy 证书目录（Windows 对应 C:\Users\用户名\.mitmproxy）
cd ~/.mitmproxy

# 2. 获取 Android 系统要求的证书哈希值，并重命名
CERT_HASH=$(openssl x509 -inform PEM -subject_hash_old -in mitmproxy-ca-cert.pem | head -1)
mv mitmproxy-ca-cert.pem ${CERT_HASH}.0

# 3. 将证书推送到系统区并修改权限
adb root
adb remount   # 部分模拟器需要先解除 /system 只读挂载
adb push ${CERT_HASH}.0 /system/etc/security/cacerts/
adb shell chmod 644 /system/etc/security/cacerts/${CERT_HASH}.0
adb reboot    # 重启后生效

If the emulator has been ROOT, the whole process will be particularly smooth, which is one of the reasons why the emulator was recommended above.

#4.2 Bypass SSL Pinning

If you still cannot catch the package after installing the system certificate, it means that the App has enabled SSL Pinning (certificate pinning). It will actively verify whether the certificate returned by the server is consistent with its own built-in certificate. If it is inconsistent, it will directly disconnect.

The quickest bypass is Frida + JustTrustMe:

# PC 端安装 Frida
pip install frida frida-tools

# 下载对应架构的 frida-server 文件（如 x86_64 模拟器对应 x86_64 版本）
# 下载地址：https://github.com/frida/frida/releases

# 推送到手机并启动
adb push frida-server-* /data/local/tmp/
adb shell chmod 755 /data/local/tmp/frida-server-*
adb shell su -c /data/local/tmp/frida-server-* &   # 后台运行

# 下载 JustTrustMe.js（在 GitHub 搜索 “JustTrustMe frida”）
# 然后启动 App 并注入脚本
frida -U -f <目标App包名> -l JustTrustMe.js --no-pause

In this way, the verification logic of SSL Pinning will be bypassed, and the packet capture tool can decrypt HTTPS traffic normally.

#5. A complete actual combat process

Take grabbing the API of a reading app as an example and stringing together the previous knowledge (only for learning, no illegal use):

1. Open the lightning simulator and confirm that it is ROOT
2. Install Mitmproxy system certificate
3. Startmitmweb -p 8080
4. Set up the emulator Wi-Fi proxy
5. Launch the reading app with Frida + JustTrustMe
6. Flip through some books and open the browserhttp://127.0.0.1:8081You can see real-time API data

The entire process, from environment-setup to seeing the clear text interface, can be completed within ten minutes.

#Summarize

There are four core points in this article:

• Prioritize the use of simulators: ROOT permissions directly minimize obstacles
• 10 ADB commands are enough: covering application management, file transfer and simple debugging
• Choose one of three packet capture tools: Python developers prefer Mitmproxy for easy scripting
• Two steps to break through and counterattack: System area certificate + Frida+JustTrustMe to bypass SSL Pinning

Mastering these, you will have a master key to "see through App data flow", laying a solid foundation for subsequent protocol analysis and crawler development.