Hacker Read

4death4 · 2023-11-19 19:55:57

Assuming the Reddit app does not use certificate pinning, you can use your computer to provide internet to your phone and then use an app like Charles Proxy to inspect requests being made from an app. Pretty easy to reverse engineer the API.

If the app does use certificate pinning, then you can use an Android phone and a modified app that removes the logic that enforces certificate pinning. This is more involved but also not impossible.

reply

djxfade | karma 724 | avg karma 2.64 · | 2021-07-07 09:20:18+00:00

You can do this without this library. On iOS you could install an app like Charles Proxy, and install their cert to intercept traffic. Or you could proxy all traffic through your computer. Most apps does use certificate pinning today, but many still don't. I recently used this technique to reverse engineer a video streaming app

Wowfunhappy | karma 27196 | avg karma 3.43 · | 2021-02-08 15:54:11+00:00

This works as long as the app does not enforce certificate pinning. But if it does, there's no way to override it and inspect what's actually going on, as I can on my desktop.

jimrandomh | karma 11324 | avg karma 8.85 · | 2018-03-07 20:32:17+00:00

Note that while certificate pinning does make reverse-engineering harder, it's also a legitimate security feature; without it, anyone who controlled a CA (including most major governments) would be able to forge a certificate and use it to spy on users.

Certificate pinning is a hurdle to reverse engineering, but a surmountable one, at least on Android. Since the app is running on a phone where you may potentially have root, you can pick it apart with a debugger and see the traffic before it leaves the phone. This is technically challenging, but it is something that people do sometimes.

reply

brazzledazzle | karma 3522 | avg karma 2.01 · | 2022-03-10 15:06:49

Just be ready for mitm proxying on some mobile apps to be a bust if they use certificate pinning. I’m not aware of anything that can get you past that besides patching the app itself.

punnerud | karma 9088 | avg karma 7.12 · | 2019-06-25 14:14:38+00:00

That is why these systems generate their own certificate that you add to your phone, so you still can see the traffic.

For MITMProxy you can visit http://mimt.it when the setup is running.

A bit more difficult with “pinned-setificate” where you have to:

1) Decompile the app (easy if you search for the online APK-download and APK-decompile tools)

2) Move the certificate out of the APK and use it for the traffic between MITMProxy/Charles and the server

3) Replace the certificate in the APK with one generated for MITMProxy/Charles, or just delete it if that works for the app (most likely not)

4) Re-compile the APK and install on your device

5) Run MITMProxy/Charles as before, just with some parameters to load the “pinned-certificate”

(There is also a lot of guides for this. Maybe not for pinned-certificate.)

reply

nstj | karma 1284 | avg karma 2.57 · | 2018-03-28 04:02:04+00:00

Charles works by sitting between a server and a phone. It decrypts traffic from the server, displays this to the user to 'inspect', and then re-encrypts the traffic to be sent to the phone.

It re-encrypts the traffic using its own SSL certificate (technically a CA, but no need to get bogged down in details).

In many modern apps, code has been added such that an app will only accept traffic which has been encrypted by the original server certificate (ie: the Uber iOS app will only accept traffic which has been encrypted by a certificate from www.uber.com). When Charles attempts to sit between this traffic, the app will not allow network connections, and thus no traffic can be inspected by Charles.

This procedure of an app only permitting traffic encrypted by a predefined certificate is known as "certificate pinning" or "pinning" for short. It is becoming more and more common for native apps.

reply

lozaning | karma 1897 | avg karma 2.8 · | 2019-06-20 02:21:41

Would this let me see the full path of an https requests that an app is making? I've got a testing need for that, and am currently hampered because our secops team won't let us enable a feature flag to disable cert pinning so that Charles proxy will work.

WOuld this be a viable alternative because it runs on the actual phone itself?

reply

t1o5 | karma 1199 | avg karma 6.59 · | 2018-03-28 08:50:39

Won't an app worth its salt use certificate pinning to prevent this mitm ? In other words - Can I use Charles to sniff FB or watsapp traffic ? I do not use both services, but interested in analyzing their traffic.

traviswingo | karma 2007 | avg karma 5.15 · | 2018-09-08 18:19:39+00:00

I’ve reverse engineered ssl encrypted iPhone app traffic before using Charles proxy and a self generate ssl cert to decrypt the requests. From there, you can see which endpoints are receiving what data in plain English.

I’ve only done this for apps not using certificate pinning. It gets more complicated from there.

reply

twostorytower | karma 527 | avg karma 3.47 · | 2018-03-07 22:41:30+00:00

Certificate pinning is relatively easy to disable on jailbroken iOS devices and rooted Android phones. I'm not highly technical and I did it myself to sniff Snapchat traffic 2 years ago. Any half competent security researcher should be able to do this trivially.

jsjohnst | karma 5630 | avg karma 1.54 · | 2018-09-08 04:49:53

Check out CharlesProxy in the iOS App Store. You can intercept and inspect the SSL traffic without needing another device or external service.

sschueller | karma 21616 | avg karma 4.57 · | 2019-12-15 07:28:50

Using certificate pinning would make using mitmproxy impossible. It would require someone to decompile the app and attempt to remove the pinning.

SushiHippie | karma 2531 | avg karma 2.29 · | 2024-01-09 15:56:09

Looks like the android app at least does certificate pinning https://github.com/zimmra/frida-rootbypass-and-sslunpinning-...

Scaevolus | karma 6788 | avg karma 5.2 · | 2020-05-21 02:50:09

> I reverse-engineered using mitmproxy. It was quite easy as the app does not use cert-pinning at all.

If the app used cert-pinning you'd probably do the RE work on android, where you can more easily install a modified APK with cert pinning disabled.

reply

dheera | karma 9101 | avg karma 1.67 · | 2021-05-24 04:54:00+00:00

Most apps now use certificate pinning, i.e. they have the root certificate included in the app and signed as part of the app, so that method won't work.

On Android it's much easier to intercept and modify the behavior of apps and tell the system to disregard signatures and things of the sort.

reply

manmal | karma 5545 | avg karma 2.07 · | 2022-12-08 00:07:34

No. Install Charles Proxy (iOS app) and see what you can get of the MITM proxy it ships with. Many apps don’t ship with pinning.

Polylactic_acid | karma 3296 | avg karma 3.03 · | 2020-05-21 02:34:12

Is this your work? I'm wondering, if the app did use cert pinning, how would you mitm it on your own device?

h4waii | karma 723 | avg karma 2.05 · | 2019-06-20 03:38:10+00:00

No, this won't bypass certificate pinning, to do that you need to tamper the app or hook runtime calls using something like Xposed. There are modules [0] [1] that do this, support depends on the version of Android you're using.

[0]. https://github.com/ac-pm/SSLUnpinning_Xposed

[0]. https://github.com/Fuzion24/JustTrustMe

reply

ladberg | karma 3085 | avg karma 4.63 · | 2023-09-15 15:27:49

Android apps could also do certificate pinning with the same effect though? In this case there isn't any difference between Android and iOS in functionality.