Network MiTM

Interactions with external APIs can be intercepted and analysed.

• Useful to identify communication with domains with low reputations.

• Useful to identify unprotected communications.

  • Especially dangerous if dealing with authentication, private data or the download of dynamic components.

Black box approach

Observe how the app behaves.

• We can simply observe or we can manipulate/ filter traffic.

Packet dumps

Run applications and capture traffic with a packet sniffer.

Non-encrypted APIs can be analyzed with ease.

• The endpoint IP address may constitute an indicator by itself.

  • Communication with flagged domains, and validation that a service is invoked.

Using wireshark (androiddump).

Traffic flows

Run applications with an HTTP/HTTPS proxy configured to intercept all traffic.

The injection of a CA Certificate in the device allows the generation of custom certificates for secure endpoints.

Using an HTTP proxy with Active TLS interception capability.

• A proxy will generate certificates for all hosts accessed.

• Certificates are signed by a single CA.

• CA must be installed in the device.

Using mitmproxy, without CA installed

Trusted certificates

Standard X509 certificates in PEM format.

• Preinstalled by the manufacturer.

• Cannot be changed by users.

• Users can add custom certificates, but they are frequently ignored by the application.

On Android systems, trusted roots are at /system/etc/security/cacerts.

• Folder with PEM certificates.

/system partition is read-only on release devices.

• In recent versions of Android, the same is also true for the emulator.

• Alternative: mount a tmpfs at the certificate location, but changes are lost on reboot.

Using mitmproxy, with CA installed

Limitations

Packet dumps are limited to unprotected text and metadata.

Traffic flow analysis is limited to devices where a CA can be injected.

• And where the APP will not use custom CA Certificates.

• And where the APP will not use Certificate Pinning.