First, let's get started with ZAP. ZAP is an intercepting proxy that intercepts and re-encrypts HTTPS traffic for easy debugging. Click on the big blue button on the ZAP homepage to download it. If you choose to use another proxy (I hear Burp Proxy is a common choice) feel free to do so as our approach should work with both.
Now, whichever proxy you use, let it export its certificate to a file such as
owasp_zap_root_ca.cer (go in Tools > Options > Dynamic SSL Certificates > Save). When ZAP first starts up, it generates a certificate valid during one year. You can also generate a new one from the Dynamic SSL Certificates section.
If you're using B2G desktop, you have to make sure that ZAP does not listen on
localhost, but instead on your attributed IP address (ethernet or Wi-Fi). This is because B2G Desktop's
localhost does not point to your desktop computer, but something within the
b2g binary itself. For our example, we will use my IP address:
If you're working with a real device, you'll have to make sure your phone and your computer are connected to the same network/VLAN and can communicate together (if you have a doubt, try to ping the IP of one device from the other one).
Creating a certificate database
Accepting certificates happens in settings, which are stored in profiles. Here's a short primer on Firefox profiles:
- Start the Firefox profile manager using the -P option on the command line, and make sure that Firefox is not using any existing Firefox sessions (
- On Linux, you need to do:
firefox -P -no-remote
- On Mac OS X:
/Applications/Firefox.app/Contents/MacOS/firefox -P -no-remote
- On Linux, you need to do:
- Now create a new profile called "zapped." Go to the certificate settings — Edit > Preferences > Advanced > Encryption > View Certificates > Import. Now select the
owasp_zap_root_ca.cerfile created by your proxy and tell Firefox that it should trust this CA to identify web sites (this is really only valid for this profile).
- Having used Firefox to create a certificate database for us, we can now use this database for our B2G profile. The name of your Firefox profile directory is a random string that ends with zapped. The location depends on your operating system; see Runtime Directories for details on where it can be found.
- For B2G desktop, we only need the
cert8.dbfile, which is the profile's certificate database. Copy it over to your b2g profile directory
- On a device, copy the cert9.db on your device profile directory:
$ adb shell stop b2g $ adb push cert9.db /data/b2g/mozilla/*.default
Note: This will overwrite the existing file.
Setting up B2G
The next step is to set ZAP as the default proxy for all network communication. The proxy settings, like the certificate settings, are currently not available from the Firefox OS user interface.
On B2G Desktop
You need to append these custom settings to the preferences file,
user_pref("network.proxy.backup.ftp", "10.264.1.5"); user_pref("network.proxy.backup.ftp_port", 8080); user_pref("network.proxy.backup.socks", "10.264.1.5"); user_pref("network.proxy.backup.socks_port", 8080); user_pref("network.proxy.backup.ssl", "10.264.1.5"); user_pref("network.proxy.backup.ssl_port", 8080); user_pref("network.proxy.ftp", "10.264.1.5"); user_pref("network.proxy.ftp_port", 8080); user_pref("network.proxy.http", "10.264.1.5"); user_pref("network.proxy.http_port", 8080); user_pref("network.proxy.no_proxies_on", ""); user_pref("network.proxy.share_proxy_settings", true); user_pref("network.proxy.socks", "10.264.1.5"); user_pref("network.proxy.socks_port", 8080); user_pref("network.proxy.ssl", "10.264.1.5"); user_pref("network.proxy.ssl_port", 8080); user_pref("network.proxy.type", 1);
Note: Remember to replace my IP address 10.264.1.5 with yours, and if your proxy does not listen on port 8080, make sure you change it in this file too.
At this point, you should be ready to go! Start B2G Desktop again, and try some browsing. Network traffic should appear in ZAP.
On a device
These instructions may not be working anymore on a device.
You have to modify the file located in /data/b2g/mozilla/*.default:
$ adb pull /data/b2g/mozilla/*.default/prefs.js
At the end of the file, add the custom settings indicated in the section above and then restart b2g (the b2g process should have been stopped if you follewed the instructions to push cert9.db):
$ adb push pref.js /data/b2g/mozilla/*.default $ adb shell start b2g