I’m interested in finding out exactly what network requests are made by certain 3rd party Chrome apps. I can open the Dev Tools from chrome://inspect/#apps, or from the context menu (enabled under chrome://flags/#debug-packed-apps), or by means of the Chrome Apps & Extensions Developer Tool. Whatever I do, the Network tab stays blank except an occasional image/png, while I’m sure lots of HTTP requests (or HTTPS to be exact) actually take place.
How can I monitor all network requests that an app makes? It seems easy for extensions, but not for standalone apps. Or is MITMing myself with a proxy with a self-signed certificate that Chrome is configured to trust the only option?
Related
I'm building a PWA with Nuxt.js that uses the Web Serial API to communicate with our proprietary hardware. It works as expected (i.e. the port will be available without user action the next time you load the web app unless the browser security is reset) on Windows 10/11 and macOS devices, but the device this application will be running on is a Raspberry Pi 4 running the latest stable Rasbian release. On the only two browsers I've found that can run on the Raspberry Pi and support the Web Serial API are Chromium and Vivaldi. In both of those browser, there is an issue remembering which port(s) the user has already allowed access to.
In Chromium, even a page refresh will cause the port permissions to reset, requiring the user grant access to the serial port again. In Vivaldi, the permissions can survive a page refresh, but restarting to browser will cause it to forget any prior port authorizations.
I have not been able to find any option to whitelist websites in the browser settings the way you can for some other security/privacy options, like you can with things like website clipboard access, nor any way to disable the security feature altogether.
This will be running on custom hardware that ships with the software, so there are no limitations to what can be modified to resolve or work around this. The device is touchscreen only, and the app will be running in a fullscreen kiosk mode at boot. There just needs to be some way to prevent the user from needing to select a port like /dev/s0 and grant the web app access to it every single time they turn the device on.
My corporate VPN blocks all external traffic from an Android device. I am trying to test PWA that is internally hosted (all resources inside a firewall). What I observe is that despite passing Lighthouse audit my PWA fails the WebAPK creation process on a device. Specifically, the install process takes a long time, and eventually it degrades to an application shortcut install.
What I did:
Built the simplest PWA that I could think of (index.html registering service worker + sw.js with fetch even handling index.html request offline + web manifest) and hosted it on an internal server
Run Lighthouse audit on the desktop and made sure it passes all PWA Lighthouse audits
Run bubblewrap init on the manifest to double check that icons/names are OK
Tried to install PWA on an a Pixel phone from Chrome's dot dot dot menu behind firewall
After a long time, the application shortcut was installed (with Chrome overlay icon)
Checked chrome://webapks/ on my phone - no surprises here, I did not find WebAPK for my app
Turn on my corporate VPN workaround, which allows me to bypass VPN restrictions and access external addresses (rooted phone + ProxyDroid hackery)
Now WebAPK creation works
Question 1:
Could someone please explain what is involved in WebAPK creation that would make it fail behind a strict corporate firewall? Is there any external resource (a service perhaps?) involved here that I could advocate my corporate VPN to whitelist? If not, any advice of how to have automatic tests for WebAPK creation would be appreciated. I thought of using bubblewrap build, but, since it is for TWA's, I did not expected it to pass for my simple PWA.
Question 2:
In general, what is the best technique for diagnosing WebAPK creation failures for PWA's that pass Lighthouse audit?
The WebAPK is generated server-side by Chrome. Chrome sends details from the manifest, along with the icons to it's server, which then returns the WebAPK. As you pointed out, it's most likely your corporate firewall is blocking that request to the server, preventing Chrome from generating the WebAPK.
The code for generating WebAPKs in Chrome can be found here
For your second question, we don't really have good tools for debugging that, if Lighthouse passes, it should build the WebAPK (with the exception noted above). I suspect you could connect the device to your computer and use ADB to look at logs, but thats... ugly. Sorry.
Is it possible to view the network traffic (http requests, raw http etc.) similar to chrome dev tools (network tab) generated by an application (nodejs if it makes any difference) via vscode?
This functionality is already present, but it doesn't show the requests and responses of the application running.
The developer tools are connected to the running instance of Code and not the application you are executing. Currently it is not possible to view network traffic for the application you are launching from Code.
You can try to start from mbehr1.vsc-webshark plugin and use WireShark tools for catching your app network i/o.
It would be great a more detailed post about configuring launching Rust app (server) in debug mode, wireshark with VSCode integrated UI, and maybe internal browser in a single launch.json action, but I can't point anything close to it.
We are building an Android App and we are worried about the REST API being scraped.
Would it be possible to detect the REST endpoints used for the app if somebody manages to install the app in a computer and uses a software like Wireshark to sniff the connection?
The connection is HTTPS
If possible, what is the way of preventing people from using these REST APIs on their own?
We are building an Android App ... if somebody manages to install the app in a computer
I.e., you're worried about either 1) a computer running Android or whatever Google's "Android+Chrome merge" thing is or 2) a computer running some software under which Android apps can run?
and uses a software like Wireshark to sniff the connection? ... The connection is HTTPS
Sniffing an SSL/TLS connection gives you a bunch of encrypted data unless you give Wireshark enough data to decrypt it, and it's a situation where it can decrypt it.
However, a debugging proxy such as Fiddler or Charles might be able to catch the traffic and decrypt it in situations where Wireshark couldn't.
super basic question - I am building an iphone app but will need to set up my computer as a server so my app can send data to my computer. what are the first steps that i need to take?
Thanks!
If you are writing an iPhone app you are probably on a Macbook so you can easily enable Apache in system preferences, click sharing, enable web sharing it will then show you your computers IP address that you can hit over a web browser.
That will set you up with a web server on your machine. Since your emulator and web server will be on the same wifi network and even if you deploy to the device you can have it on your wifi network you should be able to post data to your Mac's web server.
If you are passing data to it you'll need to read about 'web services', probably REST web services. I would then suggest reading about PHP and/or Ruby or Python as your programming language to interpret what you are posting to the web service.
Hope that helps you on your way.
If you are not on a Mac you can't develop an iPhone app anyways ;) so the above strategy should work for you.
3G will only work for you if your server is available outside of the network. Tons of info online on how to set that up but essentially what you would do is configure your router to forward incoming traffic from (for example) port 8080 to the ip address of your server. Assuming you are on a router.
As a side note, if down the line you use Ruby you could check out http://www.heroku.com/how if you want to host your server there