Network MiTM

Interactions with external APIs can be intercepted and analysed.

  • Useful to identify communication with domains with low reputations.

  • Useful to identify unprotected communications.

    • Especially dangerous if dealing with authentication, private data or the download of dynamic components.

Black box approach

Observe how the app behaves.

  • We can simply observe or we can manipulate/ filter traffic.

Packet dumps

Run applications and capture traffic with a packet sniffer.

Non-encrypted APIs can be analyzed with ease.

  • The endpoint IP address may constitute an indicator by itself.

    • Communication with flagged domains, and validation that a service is invoked.

Using wireshark (androiddump).

Traffic flows

Run applications with an HTTP/HTTPS proxy configured to intercept all traffic.

The injection of a CA Certificate in the device allows the generation of custom certificates for secure endpoints.

Using an HTTP proxy with Active TLS interception capability.

  • A proxy will generate certificates for all hosts accessed.

  • Certificates are signed by a single CA.

  • CA must be installed in the device.

Trusted certificates

Standard X509 certificates in PEM format.

  • Preinstalled by the manufacturer.

  • Cannot be changed by users.

  • Users can add custom certificates, but they are frequently ignored by the application.

On Android systems, trusted roots are at /system/etc/security/cacerts.

  • Folder with PEM certificates.

/system partition is read-only on release devices.

  • In recent versions of Android, the same is also true for the emulator.

  • Alternative: mount a tmpfs at the certificate location, but changes are lost on reboot.

Limitations

Packet dumps are limited to unprotected text and metadata.

Traffic flow analysis is limited to devices where a CA can be injected.

  • And where the APP will not use custom CA Certificates.

  • And where the APP will not use Certificate Pinning.

Last updated