An application’s HTTP traffic can be tracked using the network inceptor provided by the SDK. This feature only currently available for OkHttp HTTP/REST communication library.
In case your application is using another HTTP library that allows intercepting, please feel free to submit a feature request on our github.
OkHttp interceptor
Smartlook interceptor can be added as a another NetworkInterceptor when creating a OkHttpClient like this:
val client = OkHttpClient.Builder()
.addNetworkInterceptor(SmartlookOkHttpInterceptor())
.build()
OkHttpClient client = new OkHttpClient.Builder()
.addNetworkInterceptor(new SmartlookOkHttpInterceptor())
.build();
Smartlook SDK will not read or send out any body data, it is reading and sending only these request metadata:
- Request URL that can be stripped of any sensitive data -> read more.
- Http method used for this request.
- Request headers that can be filtered out so they do not leak any sensitive data.
- Response headers that are filtered out so they do not leak any sensitive data.
- Protocol negotiated by this connection.
- Duration between request and response/failure.
- Request status stating if the request was successful or eventually how it failed, can be one of the following:
- Ok
- Error
- Abort
- Timeout
- Status code of http response.
- Flag stating if response was received from the cache.
All intercepted requests can be displayed in dev tools on every recording.
Url masks
Sensitive parts of request URLs can be hidden using UrlMask:
UrlMask(regex: String)
UrlMask(regex: String, replaceWith: String)
new UrlMask(String regex);
new UrlMask(String regex, String replaceWith);
If
replaceWith Stringis not defined explicitly the default replaceStringis used.
UrlMasks can be added using SmartlookOkHttpInterceptor.Builder:
SmartlookOkHttpInterceptor.Builder()
.addUrlMask(urlMask: UrlMask)
.build()
new SmartlookOkHttpInterceptor.Builder()
.addUrlMask(UrlMask urlMask)
.build();
In this example SDK is intercepting a request with a URL containing a sensitive query named secret:
https://example.com/page?secret=password&second=query
The content of this sensitive query can be hidden for intercepting using UrlMask:
val interceptor = SmartlookOkHttpInterceptor.Builder()
.addUrlMask(UrlMask("(name=)[^&]+(&*)", "$1<sensitive>$2"))
.build()
val client = OkHttpClient.Builder()
.addNetworkInterceptor(interceptor)
.build()
SmartlookOkHttpInterceptor interceptor = new SmartlookOkHttpInterceptor.Builder()
.addUrlMask(new UrlMask("(name=)[^&]+(&*)", "$1<sensitive>$2"))
.build();
OkHttpClient client = new OkHttpClient.Builder()
.addNetworkInterceptor(interceptor)
.build();
Like the above shown UrlMask intercepted request, it will have the following URL stored:
https://example.com/page?secret=<sensitive>&second=query
Sensitive headers
Intercepted headers can contain sensitive data, so they need to be filtered out by their name. This can be done using sensitiveHeaderNameRegexps, this list of sensitive header names contains these regular expressions by default:
".*csrf.*"".*token.*"".*auth.*"".*key.*"".*cookie.*"
A custom list of sensitive header name regular expressions can be defined by the following:
SmartlookOkHttpInterceptor.Builder()
.addSensitiveHeaderNameRegex(headerRegex: String)
.build()
new SmartlookOkHttpInterceptor.Builder()
.addSensitiveHeaderNameRegex(String headerRegex)
.build();
If at least one sensitive header name regex is added, default ones (shown above) are not going to be used.