I am pentesting android application. I used burpsuite and configured genymotion emulated android to use my host as proxy. Installed CA certificates on android (android api < 24). Everything went well and I was able to intercept and manipulate http/https traffic of the application.
However, I noticed that not all the data being exchanged between the application and the server is being intercepted, so I ran tcpdump through adb shell and found out that the application exchange tcp packets that contain the missing data through special api with special port(src:37966 & dst:25050). I explored the data and found no means of encryption (I could read pcap file plain text in wireshark).
I googled and found out that this is called "thick client application" and it is not aware of the global proxy setting on the emulated device.
Is there a chance that transmitted tcp packets which I captured are http exchanged over custom ports and thus burpsuite ignore them? In this case how can I configure burpsuite to capture those data to modify it on the fly? I am aware I can use invisible proxy setting in burpsuite but how can I forward that specific port 37966 in my emulated android to burpsuite proxy on my host machine and still be able to intercept normal http/https traffic?
Any guidance would be appreciated.
UPDATE:
- I unpacked the apk file and looked into semi-human readable source code. Found out that client do serilization using kyro.
Question
- Can I deserialize the packets in my .pcap file to be able to read the data?