How to record an Android application using HTTPS traffic with JMeter

on 10 September 2018 DEVOPS, HTTPS, JMETER, LoadRunner alternative, Neoload Alternative, PERFORMANCE and Tags: , , , , , with 0 comments

How to record an Android application using HTTPS traffic with JMeter

The context:

You have to load test an Android application that issues HTTPS traffic to your servers.

To do that you decide to use JMeter to record the traffic, unfortunately, you get:

Received fatal alert: certificate_unknown
**ensure browser is set to accept the JMeter proxy certificate**

Hopefully, you’ll see in this blog how to handle this case.

The solution (Android < 7):

First use JMeter Recording Template Then start JMeter’s HTTP(S) Test Script Recorder, it will generate in jmeter/bin folder, a file called ApacheJMeterTemporaryRootCA.crt .

Copy file to your android device and install it as CA Certificate.

See How do I install a user certificate? thread for more details.

The certificate has limited life time (defaults to 7 days) but you can extend it by setting in user.properties

proxy.cert.validity=Number of days

The solution (Android >= 7):

Now a big problem triggers when you have an application running on Android >= 7.

Indeed, Google made a big change in it security policy by allowing applications to only use System installed Certificates. So your certificate will not be used.

So what is the solution ?

Well, you have 2 options:

The hacky one:

This solution is not a viable one IMO, as it requires you to root device to be able to install certificate

  • Root device and install certificate following this method.

The clean one:

The clean one  requires you to modify the APK in a little way.

So you’ll need to ask developer of application to modify the APK as described below.

Edit manifest and add :

android:networkSecurityConfig="@xml/network_security_config"

You’ll get:

 <?xml version="1.0" encoding="utf-8"?>
 <manifest ... >
     <application android:networkSecurityConfig="@xml/network_security_config"
                ... >
    ...
     </application>
 </manifest>

Then add in res/xml/network_security_config.xml this:

 <?xml version="1.0" encoding="utf-8"?>
 <network-security-config>  
       <base-config>  
             <trust-anchors>  
                 <!-- Trust preinstalled CAs -->  
                 <certificates src="system" />  
                 <!-- Additionally trust user added CAs -->  
                 <certificates src="user" />  
            </trust-anchors>  
       </base-config>  
 </network-security-config>

Note that this is needed whatever tool you use (Neoload, LoadRunner, …)

About  the author:

Philippe Mouawad works as an Architect and technical expert for Ubik-Ingenierie where he leads among other things the development of UbikLoadPack a set of Commercial Plugins for Apache JMeter allowing to load test different protocols like MPEG-DASH, Http Live Streaming, HSS, HDS, GWT, JavaSerialization.
Philippe is a committer on the Apache JMeter project and member of the PMC since October 2011.
Finally he is a co-author of a french book on JMeter called Maîriser JMeter: Du test de charge à Devops.

Try it:

Request a trial version HERE.

Ask for a turnkey or consulting service at ubik-load-pack-sales@ubik-ingenierie.com.

About us: