SSL MitM for Android

• Sniffed SSL traffic between Android-App and Server: analysis-server.txt
• The chat messages are not transfered through HTTPS, but you can use tcpdump to sniff the traffic to TCP port 5222: analysis-chat.txt

How to sniff SSL traffic:

• Download the APK
• Install patched OpenSSL (patch: openssl_req_resign_rekey.patch) if you want to use the fake_certificate.bash script from https://github.com/acritox/sslhack to create the fake SSL certificate as shown in APK-modification-and-sniffing.txt (my already patched *.deb packages for Debian wheezy amd64: patched-openssl/)
  
• Follow APK-modification-and-sniffing.txt to create a fake certificate for the HTTPS server and start a MitM sniffer
• Upload the modified APK to your phone (e.g. via Dropbox)
• Settings > Security > Device administration > Unknown sources
  
• Install the modified APK
• Settings > Wi-Fi > long press on your SSID > Modify network
  
  Use static IP settings and set the IP of the host running the MitM sniffer as Gateway
• Start the App