Debugging SSL protected protocols like oauth2 can be a problem but it is not
entirely impossible nor hard to do.
One way to do it is to spoof the certificates the protocol relies on to protect the communication. The certificates are used by the client
to verify that the server is the endpoint it is supposed to be talking to and to encrypt the communication. A
good description for the Android operating system is given in this blog post (
Intercepting
and decrypting SSL communications between Android phone and 3rd party server).
Nobody can blame Android for being picked here as an example and ways to do
this exist for all operating systems. Yes, to install the certs you need root
access; but it well may be that you have that and want to help a friend to
debug their installed application on your phone. Even if the client is running
on a server it may be worthwhile to debug the network traffic to find certain
errors in the client implementation. An error specific to an oauth
implementation might be that your friend has a typo in the cliend_id or
client_secret and the authorization server is rejecting requests because of
that.
It might be hard for you to verify client_id and client_secret by analyzing
the client. Maybe they are stored on a UICC or stored encrypted in the file system (and
the keystore password is not "changeit") and are only decrypted and
used when a resource owner uses the client.
By analyzing the SSL traffic you can help to find this kind of bug and all
other related to protocol issues.
But maybe you don't have an SSL server to capture the plain text from an SSL
connection?! Then another path you might take is to swap the client's SSL
implementation with your own. You don't have to change the client's code or analyze
the client's memory. Building your own version of most operating systems with
your own SSL implementation is not that hard to do. Or maybe you can just
register your SSL implementation to be used with all client code? Or you can
swap a library?
There are more ways to achieve your goal.
But make sure that you have your friend's permission first. Not everybody might be happy with the fact that you now know the client_id and client_secret.
Have fun!