Daily use¶
Assumes WSL — Docker and mitmweb and Windows — host tools, SDK, and emulator are done. Replace
pixel_api35 with your AVD name (emulator -list-avds on Windows).
Use scripts/adb.sh for adb from WSL (WSL — adb to the Windows emulator). All commands below
run from the aioafero repo checkout in WSL unless noted.
Every session¶
WSL —
./scripts/mitmweb.sh up(Start mitmweb (WSL))Windows — boot the emulator with
-writable-system(Boot the emulator (Windows))WSL —
./scripts/inject-mitm-ca.sh(Inject the mitmproxy CA (WSL); again after every emulator reboot)WSL — push WireGuard config if needed (
./scripts/adb.sh push …); emulator — turn the tunnel on (Connect WireGuard (WSL + emulator))Emulator — open Hubspace, sign in, trigger a device action (Use Hubspace and capture traffic)
Browser (WSL or Windows) — http://127.0.0.1:8081/?token=aioafero
flowchart TD
mitm[WSL: mitmweb up]
emuWin[Windows: emulator -writable-system]
inject[WSL: inject-mitm-ca.sh]
wg[WSL: adb.sh push + WireGuard on]
app[Emulator: Hubspace traffic]
ui[Browser: mitmweb UI]
mitm --> emuWin --> inject --> wg --> app --> ui
Start mitmweb (WSL)¶
./scripts/mitmweb.sh up
# UI: http://127.0.0.1:8081/?token=aioafero
Stop: ./scripts/mitmweb.sh down
Logs: ./scripts/mitmweb.sh logs
Compose file: docker/mitmweb/compose.yaml. State lives in WSL ~/.mitmproxy/
(CA cert + WireGuard keys). ./scripts/mitmweb.sh ca-path prints the cert path.
Boot the emulator (Windows)¶
emulator -avd pixel_api35 -writable-system -no-snapshot
Wait for the home screen, then Inject the mitmproxy CA (WSL) from WSL.
Inject the mitmproxy CA (WSL)¶
Afero apps pin TLS. Install the mitmproxy CA as a system trust anchor and bind it into the APEX conscrypt store (zygote + running apps). Repeat after every emulator reboot — APEX bind mounts do not persist.
./scripts/inject-mitm-ca.sh
Waits for the emulator (90s timeout), then adb root → adb remount, pushes
~/.mitmproxy/mitmproxy-ca-cert.pem (or MITMPROXY_CERT), runs
scripts/mitm-ca-inject-device.sh on the device, force-stops Hubspace, and opens
http://mitm.it in Chrome (falls back to the default browser).
http://mitm.it only loads when WireGuard is on and connected — traffic must route through
mitmproxy (DNS = 10.0.0.53 requires an active tunnel). APEX injection already installs
the mitmproxy CA as a system trust anchor; mitm.it is a tunnel verification step, not a
user cert install. If the page fails, enable WireGuard (Connect WireGuard (WSL + emulator)) and open
http://mitm.it again.
Override the cert path: MITMPROXY_CERT=/path/to/mitmproxy-ca-cert.pem ./scripts/inject-mitm-ca.sh
Manual on-device steps: scripts/mitm-ca-inject-device.sh.
Connect WireGuard (WSL + emulator)¶
One-time setup (usually during First-time install): create
docker/mitmweb/emulator-wireguard.conf from mitmweb → WireGuard tab — see
Endpoint and Config file below. Each session: import is already on the device
unless you wiped data; toggle the tunnel On.
Push the config from WSL (skip if already imported):
./scripts/adb.sh push docker/mitmweb/emulator-wireguard.conf /sdcard/Download/aioafero-mitm.conf
Emulator: WireGuard → + → Import from file or archive → Download/aioafero-mitm.conf → toggle On.
All emulator traffic routes through mitmproxy; no per-app HTTP proxy is needed.
Endpoint: mitmweb auto-detects an address for simple LAN setups; for WSL Docker +
a Windows emulator that value is usually wrong (127.0.0.1 or a Docker bridge IP). Use
an address the emulator can reach on UDP 51820 — for an emulator on the same Windows
host as Docker, that is 10.0.2.2 (Google’s fixed emulator→host alias, not your LAN
IP). Allow UDP 51820 through the Windows firewall if the tunnel will not connect.
Config file: copy docker/mitmweb/emulator-wireguard.conf.example to
emulator-wireguard.conf, fill PrivateKey and [Peer] PublicKey from mitmweb,
set Endpoint (see above). Gitignored — contains a private key.
Keys and the mitmproxy CA persist in ~/.mitmproxy/ across ./scripts/mitmweb.sh down
/ up — no re-import on a normal restart. Re-import or re-run inject only if the tunnel
fails or host/container files diverge (Troubleshooting).
Use Hubspace and capture traffic¶
App package: io.afero.partner.hubspace. Sign in and toggle something.
Filter in mitmweb:
Host / path |
Purpose |
|---|---|
|
OpenID login / token exchange |
|
REST API |
|
Device state / semantics |
|
Common path filters |
Capture and export¶
In mitmweb:
Search flows by host or path.
Select a flow → Request / Response for JSON bodies.
File → Save (HAR) or copy bodies for test fixtures.
Before committing fixtures: redact tokens, IDs, and email; keep payloads small. HAR files contain live credentials — do not attach them to public issues.
Troubleshooting¶
Session and capture issues below. SDK, AVD, adb setup: Install troubleshooting and WSL — adb to the Windows emulator.
Symptom |
Fix |
|---|---|
No flows in mitmweb |
WireGuard on; mitmweb running; trigger traffic in Hubspace; filter |
TLS errors in app |
Re-run |
Flows stop after reboot |
Re-run |
No device / inject times out |
|
Login works, no API calls |
Filter |
WireGuard tunnel fails ( |
|
|
Compare |
mitmweb 403 |
|
|
Google APIs image (not Google Play); |