monline

This is what I call efficient.

A check for system updates looks like this:

The request body (for me) is only two bytes: 0x22 0x00

The reponse is quite concise too:

And the reply body is something like this: 0x08 0x01 0x18 0xd8 0xa3 0x8c 0xee 0x26

Of course it's entirely possible that the above is not a "real" conversation. I used ProxyDroid + Charles Debugging Proxy to sniff on the communication between my Nexus and Google's servers.

Update: now I know for sure that the above traffic stands for a failed checkin. If you enter the following number (secret checkin code? ) in Android dialer, it'll force a checkin: *#*#checkin#*#* (ie. *#*#2432546#*#*). Normally it'll create a notification in the status bar that "checkin succeeded". If I start up ProxyDroid, enable the global proxy and force a checkin, it'll display "checkin failed". So obviously the Checkin client won't accept a bogus/spoofed SSL certificate from Charles Debugging Proxy. Maybe I should just overwrite the certificate of android.clients.google.com (or google.com) with the one generated by Charles. Probably checkin would work then and I could watch requests come and go. The certificate of android.clients.google.com is issued to "*.google.com" by a CA called "Google Internet Authority" ... which was issued by the CA "Equifax Secure CA". On my phone (Galaxy Nexus) I can see 4 CAs for Equifax (namely: "Equifax", "Equifax Secure" and "Equifax Secure Inc." twice! ). I guess if I create an SSL certificate for "*.google.com", set it up in Charles and import it on my phone, everything should work as expected. I might even try this some other time (when it's not 2:06am ).