抓包：Android不走代理的请求

测试用例

测试应用有两个按钮，分别用 HttpURLConnection 和 Okhttp3 请求 https://www.baidu.com/。注意：两个请求都加入了 Proxy.NO_PROXY。

//HttpURLConnection请求https://tcc.taobao.com/cc/json/mobile_tel_segment.htm?tel=13812371237
public void getHtmlByUrlconnection(String path) throws Exception {
    URL url = new URL(path);
    HttpURLConnection conn = (HttpURLConnection) url.openConnection(Proxy.NO_PROXY); // openConnection(Proxy.NO_PROXY)是关键
    conn.setConnectTimeout(5000);
    conn.setRequestMethod("GET");
    if (conn.getResponseCode() == 200) {
        InputStream inStream = conn.getInputStream();
        ByteArrayOutputStream outStream = new ByteArrayOutputStream();
        byte[] buffer = new byte[1024];
        int len = 0;
        while ((len = inStream.read(buffer)) != -1) {
            outStream.write(buffer, 0, len);
        }
        inStream.close();
        String res = new String(outStream.toByteArray(), "UTF-8");
        Log.d("GRAB", res);
    }
}

//OkHTTP3请求https://tcc.taobao.com/cc/json/mobile_tel_segment.htm?tel=13923542345
public void getHtmlByOkhttp3(String path) {
    OkHttpClient okHttpClient = new OkHttpClient().newBuilder().proxy(Proxy.NO_PROXY).build(); // proxy(Proxy.NO_PROXY)是关键
    final Request request = new Request.Builder()
            .url(path)
            .get()
            .build();
    Call call = okHttpClient.newCall(request);
    call.enqueue(new Callback() {
        @Override
        public void onFailure(Call call, IOException e) {
            Log.d("GRAB", "onFailure: ");
        }

        @Override
        public void onResponse(Call call, Response response) throws IOException {
            Log.d("GRAB", "onResponse: " + response.body().string());
        }
    });
}

可以看到，基于代理抓包的Fiddler不再有效，我们可以从网络更底层或者函数本身入手解决。

 

HttpCanary

Android平台抓包工具，功能非常强大，基于传输层，连TCP UDP也能抓。首先去其设置中安装证书（Android7.0+注意要系统证书）。

操作比较简单，不多赘述了，可以看到用此工具可以抓到不走代理的包。

 

Hook相关函数

使用Frida Hook掉设置代理的函数：

function hookProxy() {
    Java.perform(function () {
            let URL = Java.use("java.net.URL");
            URL.openConnection.overload("java.net.Proxy").implementation = function (arg1) {
                console.log("hook了HttpURLConnection")
                return this.openConnection();
            }

            let Builer = Java.use("okhttp3.OkHttpClient$Builder");
            let newBuilder = Builer.$new();
            Builer.proxy.overload("java.net.Proxy").implementation = function (arg1) {
                console.log("hook了okhttp3")
                return newBuilder;
            }
        }
    );
}

运行：