Reverse Engineering Native Apps by Intercepting Network Traffic (opens in new tab)

(nickfishman.com)

188 pointsandrewrice9y ago69 comments

69 comments

Let us also mention the great mitmproxy, an open source equivalent to the Charles proxy: https://github.com/mitmproxy/mitmproxy / https://mitmproxy.org/

bugmenot39y ago

My go-to has always been Fiddler[1] (for windows). I wish it were open-source though.

I'll give mitmproxy a try. Thanks!

[1] http://www.telerik.com/fiddler

_pmf_9y ago

Fiddler is amazing!

illicium9y ago

Another option is Burp Suite (https://portswigger.net/burp/ ) -- ubiquitous in the security world.

shawkinaw9y ago

Wow, this guy has the completely opposite attitude of me. He seems to think it's a bad thing, an attack!, for users to see just what the hell data you're pulling off someone's phone. And, bizarrely, uses an example of an app that essentially stole data from its users.

I should be able to see what data an app is sending, and certificate pinning (and ATS according to another comment) kills that. That's not a good thing.

userbinator9y ago

It's not an uncommon attitude, and it's also one I detest --- many articles about "security" have some authoritarian/paternalistic aspects to them. Then again, encouraging ignorant users is the easiest way to monetise, analyse, and otherwise manipulate them... and if this ignorance is a convenient byproduct of arranging things so "it's for your security" ostensibly, all the better.

The obligatory related link: https://www.gnu.org/philosophy/right-to-read.en.html

matchu9y ago

Certificate pinning does prevent an important class of MitM attacks, though.

I think some applications use certificate pinning when validating a certificate provided by a default certificate authority, but, if you manually install a root certificate onto your device, the app will accept the override. That's one possible middle ground.

kuschku9y ago

Android Nougat disabled that — now it will not accept user-added CAs anymore, anywhere, ever.

dkopi9y ago

While the privacy concerns are more than valid, reverse engineering is common practice in trying to copy your product.

Reverse engineering isn't inherently good or bad, it's just a tool. That tool can be used for both good and bad.

I always recommend certificate pinning in order to prevent MITM attacks. I also recommend it if you're backend API gives out a lot of information about your product's "secret ingredient".

That said - certificate pinning can often be bypassed: http://blog.dewhurstsecurity.com/2015/11/10/mobile-security-...

kuschku9y ago

Reverse Engineering to copy is even considered a legal tool in the EU.

The argument of the European Court of Justice was that car manufacturers also buy cars from competitors, take them apart, and use the gained knowledge on their own products. The same happens in every industry — but in Software Engineering, it should now be forbidden? That's not possible.

If you want to protect yourself from that, publish your secret sauce and patent it.

xuki9y ago

I agree. Cert pinning is fine but there should be an option to disable it (maybe system-wide) for people who want to analyze traffic.

pilif9y ago

disabling system-wide is pretty much impossible. If OSes added such a toggle, people would start using their own SSL stack and overall security would suffer (because people won't be keeping their SSL stacks up to date)

1 more reply

mkagenius9y ago

That would pretty much beat the purpose, the author of the app doesn't anyone to snoop.

2 more replies

__b__9y ago

"I should be able to see what data an app is sending..."

And you can. There are many ways. Something as simple as 2 socat instances and netsed works great as a quick and dirty but very robust solution. See also sslsplit which will generate certificates on the fly.

Anyone who is telling you that you can place complete trust in the use of x509 certificates on the open internet is either naive or dishonest.

I think you have the right attitude.

tokenizerrr9y ago

You should read up on how certificate pinning works. Obviously you can still decompile and recompile the app with different certificates baked in but it's a bit more difficult than what you're implying.

1 more reply

mavhc9y ago

A million times as many people are being spied on without their knowledge than want to check their own data though. Not like these things were invented because of users, they were added to stop MITM by governments etc.

If you don't want to use OSes, devices and software that's designed to protect the average user from being hacked, then pick a system which gives you root.

bruno22239y ago

There is also a way, on rooted Androids, to sniff SSL pinned Apps.

SSL pinned is not an protection for reverse engineering anymore, you may want to add this info on your post.

More info at

https://github.com/ac-pm/SSLUnpinning_Xposed

Drdrdrq9y ago

+1. Thanks for the link, I didn't know bypassing certificate pinning became so easy.

dkopi9y ago

Here's a few other ways as well: http://blog.dewhurstsecurity.com/2015/11/10/mobile-security-...

Mizza9y ago

I had to do this recently and found a great tool for Android for sniffing traffic on the device called Packet Capture. It can even sniff SSL without root permissions by installing a self-signed certificate and running an in-app local VPN proxy. It also had a bunch of other nice features like parsing common protocols, showing the good bits of HTTP, etc. Much nicer than the approach described here (this article is from 2013), although it's certainly only for Android folk.

I don't think it's FOSS, but hopefully a FOSS alternative will come along and use this approach.

TeMPOraL9y ago

I've been using Packet Capture to get some data I wanted out of an app recently and in the process I started generally snooping around. What I saw disgusts me. First, just how much waste there is in communication - so many requests with so much JSON traffic for no real reason (except maybe laziness). Second - just how much various apps report on you. I've seen everything I could possibly imagine the phone could know about me and my operator sent to the various "motherships", sans actually transcribing my contact lists and messages. I'm not even going to ask what they do with this data.

I recommend the experience highly. Just be warned, you may not like what you see.

nitrogen9y ago

Usually it's just usage analytics, but the potential for abuse is great because individual data is still sent.

aggregator-ios9y ago

For those looking for a fully native experience, give https://interceptapp.xyz a try. Currently in alpha. Feedback is welcome and appreciated.

Disclosure: I'm the developer.

spangry9y ago

Nice, I reckon you're targeting the primary 'benefit' sought by MITM'ers. Most of my Android MiTM'ing is because I want to get at the data behind the app. Trying to comprehend some of the crazy, ultra-nested JSON schemas that some app devs use is a PITA.

Just a suggestion: I know you mention it in one of the marketing lines, but it might be worth stating that it's for Mac in the headline (or in the download button). Otherwise people like me, who just breeze past the marketing material to the download link, will waste 6.8MB of your bandwidth (sorry about that...)

ec1096859y ago

This article is from 2013. The ssl vulnerability mentioned is no longer present: https://www.charlesproxy.com/documentation/using-charles/ssl...

isuckatcoding9y ago

What are some other ways to prevent people from discovering your API endpoints?

One terrible idea I just had was creating only one publicly accessible API and then encrypting the actual endpoint in the payload which the server would decrypt and then redirect.

K0nserv9y ago

Don't rely on obscurity and obfuscation. Instead build your API in such a way that handing someone the complete documentation would have no negative impact. Assume the client is always compromised. My $0.02

userbinator9y ago

One terrible idea I just had was creating only one publicly accessible API and then encrypting the actual endpoint in the payload which the server would decrypt and then redirect.

You just reinvented the TLS socket connection.

ju-st9y ago

- encrypt everything using AES and pray that nobody will find the key in the apk - use your own crooked Http implementation that violates the official specs (e.g. missing \r\n's or introducing random whitespace characters...). Simple http parsing tools won't work anymore and the attacker will get grey hairs when he tries to test/use your endpoints

danielrhodes9y ago

Just a heads up that changing the HTTP protocol can break a load balancer. Experienced this one time while using Amazon's ELB: the response had invalid HTTP and the ELB instances would silently lock up and stop responding, eventually draining the pool. Was not fun to debug.

sjtgraham9y ago

Don't use a static key. At least use DHE or ECDH to negotiate the key.

chillydawg9y ago

I wonder how many techies could be silently MITM'd using the Charles root.

benmanns9y ago

I worried about the same thing. Modern versions of Charles use a per-user root CA that is generated in the client.

chillydawg9y ago

Aha, much more sensible.

throwaway2016a9y ago

I can confirm Android detects it and sternly warns you (but allows you to keep doing it if you want).

coin9y ago

Isn't it possible for apps for ignore the OS's proxy settings and make a direct TCP connection? In that case the proxy man-in-the-middle trick won't work.

sjtgraham9y ago

Yes. Socket programming. A number of banking apps in the UK use the connect(2) etc, although I can't say if this is the reason. It's most likely to make it a touch more difficult to reverse than hooking NSURLConnection etc.

pki9y ago

At least on Android you can generate a fake VPN-esque connection locally that passes everything through a proxy, so the proxy isn't exposed to the application

MichaelGG9y ago

Sure but then the verification will fail since you won't be able to sign the handshake with the "pin'd" cert. (Assuming they implement TLS or other crypto in their own code.) If you aren't modifying the execution environment then it's possible for an app to be "safe".

1 more reply

BoringCode9y ago

In that case I would look into ARP poisoning.

dirkdk9y ago

this doesn't work anymore on iOS apps that use ATS. ATS is enabled by default and will be required by Apple by the end of 2016

abalone9y ago

Sounds like Charles can work with ATS, just not pinned certs.[1]

[1] https://www.charlesproxy.com/documentation/faqs/ssl-proxying...

throwaway2016a9y ago

I'm pretty heavy into home automation and I use this technique all the time to learn how to control various walled garden home automation systems. Even worked with my Alarm company's system.

However, if the phone app uses certificate pinning and SSL it doesn't work. (yes, that means my alarm company doesn't use certificate pinning).

qq669y ago

Is there any scenario where snooping on the upstream network connection can give you valuable reverse engineering information? Because of latency/reliability issues, most mobile apps have pretty simple and stateless protocols with the server.

bytesandbots9y ago

On android, this only works when the app is using http urlconnection provided by java. If the app uses apache http stack, the request is not routed through the proxy settings. Such traffic will not showup in charles or the great MITM.

filleokus9y ago

Even on iOS it's possible to bypass certificate pinning by using a jailbroken device and tool. I wouldn't say that's a good meassure against reverse engineering.

msoad9y ago

That's what I call debug mode enabled in production. RESTful JSON APIs are truly in debug mode in production

Grimes239y ago

What would you recommend in place of RESTful JSON API's?

homero9y ago

Seems ignorant not to have a unique Charles certificate

brokenmachine9y ago

Apparently modern Charles versions have a unique CA generated by each client.

blin179y ago

Did someone just post this guys blog from 2013 up?

j / k navigate · click thread line to collapse

69 comments

heinrichf9y ago

Let us also mention the great mitmproxy, an open source equivalent to the Charles proxy: https://github.com/mitmproxy/mitmproxy / https://mitmproxy.org/

bugmenot39y ago

My go-to has always been Fiddler[1] (for windows). I wish it were open-source though.

I'll give mitmproxy a try. Thanks!

[1] http://www.telerik.com/fiddler

_pmf_9y ago

Fiddler is amazing!

illicium9y ago

Another option is Burp Suite (https://portswigger.net/burp/ ) -- ubiquitous in the security world.

shawkinaw9y ago

I should be able to see what data an app is sending, and certificate pinning (and ATS according to another comment) kills that. That's not a good thing.

userbinator9y ago

The obligatory related link: https://www.gnu.org/philosophy/right-to-read.en.html

matchu9y ago

Certificate pinning does prevent an important class of MitM attacks, though.

kuschku9y ago

Android Nougat disabled that — now it will not accept user-added CAs anymore, anywhere, ever.

dkopi9y ago

While the privacy concerns are more than valid, reverse engineering is common practice in trying to copy your product.

Reverse engineering isn't inherently good or bad, it's just a tool. That tool can be used for both good and bad.

I always recommend certificate pinning in order to prevent MITM attacks. I also recommend it if you're backend API gives out a lot of information about your product's "secret ingredient".

That said - certificate pinning can often be bypassed: http://blog.dewhurstsecurity.com/2015/11/10/mobile-security-...

kuschku9y ago

Reverse Engineering to copy is even considered a legal tool in the EU.

If you want to protect yourself from that, publish your secret sauce and patent it.

xuki9y ago

I agree. Cert pinning is fine but there should be an option to disable it (maybe system-wide) for people who want to analyze traffic.

pilif9y ago

1 more reply

mkagenius9y ago

That would pretty much beat the purpose, the author of the app doesn't anyone to snoop.

2 more replies

__b__9y ago

"I should be able to see what data an app is sending..."

Anyone who is telling you that you can place complete trust in the use of x509 certificates on the open internet is either naive or dishonest.

I think you have the right attitude.

tokenizerrr9y ago

1 more reply

mavhc9y ago

If you don't want to use OSes, devices and software that's designed to protect the average user from being hacked, then pick a system which gives you root.

bruno22239y ago

There is also a way, on rooted Androids, to sniff SSL pinned Apps.

SSL pinned is not an protection for reverse engineering anymore, you may want to add this info on your post.

More info at

https://github.com/ac-pm/SSLUnpinning_Xposed

Drdrdrq9y ago

+1. Thanks for the link, I didn't know bypassing certificate pinning became so easy.

dkopi9y ago

Here's a few other ways as well: http://blog.dewhurstsecurity.com/2015/11/10/mobile-security-...

Mizza9y ago

I don't think it's FOSS, but hopefully a FOSS alternative will come along and use this approach.

TeMPOraL9y ago

I recommend the experience highly. Just be warned, you may not like what you see.

nitrogen9y ago

Usually it's just usage analytics, but the potential for abuse is great because individual data is still sent.

aggregator-ios9y ago

For those looking for a fully native experience, give https://interceptapp.xyz a try. Currently in alpha. Feedback is welcome and appreciated.

Disclosure: I'm the developer.

spangry9y ago

ec1096859y ago

This article is from 2013. The ssl vulnerability mentioned is no longer present: https://www.charlesproxy.com/documentation/using-charles/ssl...

isuckatcoding9y ago

What are some other ways to prevent people from discovering your API endpoints?

One terrible idea I just had was creating only one publicly accessible API and then encrypting the actual endpoint in the payload which the server would decrypt and then redirect.

K0nserv9y ago

userbinator9y ago

One terrible idea I just had was creating only one publicly accessible API and then encrypting the actual endpoint in the payload which the server would decrypt and then redirect.

You just reinvented the TLS socket connection.

ju-st9y ago

danielrhodes9y ago

sjtgraham9y ago

Don't use a static key. At least use DHE or ECDH to negotiate the key.

chillydawg9y ago

I wonder how many techies could be silently MITM'd using the Charles root.

benmanns9y ago

I worried about the same thing. Modern versions of Charles use a per-user root CA that is generated in the client.

chillydawg9y ago

Aha, much more sensible.

throwaway2016a9y ago

I can confirm Android detects it and sternly warns you (but allows you to keep doing it if you want).

coin9y ago

Isn't it possible for apps for ignore the OS's proxy settings and make a direct TCP connection? In that case the proxy man-in-the-middle trick won't work.

sjtgraham9y ago

pki9y ago

At least on Android you can generate a fake VPN-esque connection locally that passes everything through a proxy, so the proxy isn't exposed to the application

MichaelGG9y ago

1 more reply

BoringCode9y ago

In that case I would look into ARP poisoning.

dirkdk9y ago

this doesn't work anymore on iOS apps that use ATS. ATS is enabled by default and will be required by Apple by the end of 2016

abalone9y ago

Sounds like Charles can work with ATS, just not pinned certs.[1]

[1] https://www.charlesproxy.com/documentation/faqs/ssl-proxying...

throwaway2016a9y ago

I'm pretty heavy into home automation and I use this technique all the time to learn how to control various walled garden home automation systems. Even worked with my Alarm company's system.

However, if the phone app uses certificate pinning and SSL it doesn't work. (yes, that means my alarm company doesn't use certificate pinning).

qq669y ago

bytesandbots9y ago

filleokus9y ago

Even on iOS it's possible to bypass certificate pinning by using a jailbroken device and tool. I wouldn't say that's a good meassure against reverse engineering.

msoad9y ago

That's what I call debug mode enabled in production. RESTful JSON APIs are truly in debug mode in production

Grimes239y ago

What would you recommend in place of RESTful JSON API's?

homero9y ago

Seems ignorant not to have a unique Charles certificate

brokenmachine9y ago

Apparently modern Charles versions have a unique CA generated by each client.

blin179y ago

Did someone just post this guys blog from 2013 up?

j / k navigate · click thread line to collapse