Show me the traffic! Intercepting and testing encrypted mobile application traffic

hello everyone and thank you for being here so to speak my name is andy and it's a great honor to be speaking besides this year i would like to thank the organizers for their amazing work and i hope everyone is staying safe and sound during this hard times we are facing now a little bit upon myself my name is andy anastasi i am a threat labs engineer at encode as we like to say we like to pen test all things the code but what i especially love is web and ios penetration testing the things i'm about to present today of course are not my work solely we have a great team at encode and the colleagues that work with me and

this is manus and alex so what i'm about to present today is uh as we said a tale from our crit we are about to present something similar to what we saw so it's not the same application but we have mimicked a behavior into a demo ios application we have changed a lot of things of course in order to for confidentiality reasons but the meaning of the story and the process we are about to follow is the same and should work if you face something similar so you start on a mobile application penetration test you have set up your device you have configured your proxy settings you have trusted the certificates and now you're ready to see the traffic

in your proxy sometimes your liking this is something that might seem scary or funny to you but it's something that you have actually seen in the past during one of our projects this is not the case however otherwise it should this would be a short presentation uh sometimes you're simply okay you see what you expect to see and you move on with the testing and sometimes maybe it's not your day so when you say this you get scary and we start the questions starting with what what are these parameters we saw and fortunately we have friends that consist us we'll be showing how you can see what the application is doing and how you can

interfere with it by using hopper's assembler and frida of course you can use any other disassembler you like but i prefer this one and this is how the example is gonna go from now so time for a short demo so we have our device ready and we just need to install the application and fire it up once we start the application we normally see the traffic that's generated by the app in this case we see that the first request it's this interesting string and after login and clicking on one order we see the traffic that we saw earlier this is quite interesting since it appears that we cannot modify a request without getting an error in

turn in body signature so starting the questions what what are its parameters here we have a session signature an encrypted id and a daytime most of the time parameters might be self-explanatory other times not but from here we can understand that the session is of course the session id the signature is what appears to be missing from us and we cannot send a value request the encrypted id must be the order id in encrypted form and in daytime it's just the timestamp of the of when the request was generated now in order to find what the signature is we're gonna use hopper so we start up with hopper and of course we're gonna load the binary of the application into it

and this is the part which is the most time consuming this is where most efforts focus in order to find where to look at exactly so let's start by finding what the signature is and we see here an interesting function named generic signature and what this does is it takes two parameters as input and generates a sha-256 hash and our parameter indeed does look like a 56 has but of what exactly unfortunately using hopper might not be that easy to identify what exactly this is so we will use frida in order to identify exactly the input of this function and we can use for the trace by giving it the application name and then with the minus i

we instruct it to find any function that contains the generated underscore signature string i want to see if frida finds the scan function and indeed it does and as we see when we click on an order the function is generated so we want to see exactly what goes in before it gets hashed so we can actually edit the file and since we want to see the input parameters we will try and log the first parameter entered into the function using this we will log the arcs1 by converting it in c object and then into a string if i use trace again and click on an order we will see that this is what actually goes into the function before it is

generated into a hash and these parameters might look familiar if you go to the latest request and see that this here is our session and

this value here is encrypted id this value here as you guessed is a daytime and then we can see that we have another interesting value here and if we look for it

you see that we have seen this value before and it's the value that is returned after the login name salt so we have no idea of what this is the hash is the concocted value of the session the encrypted id the date time plus the hash and we need to verify it we can simply copy this

when you say 286 and this will generate a shuttle h6 and guess what it's the same so we now know what the signature is but we'll start missing another piece of the puzzle out of the encrypted id so then you keep the day value we'll use hopper again and see if we can find another function and we can see here that a function called encrypt order id is used so again in the same way we try and find out what exactly this function does as you can see here this is shift rsa so it's pretty safe to assume that it does encrypt the string and we if you remember previously we do have something here that looks

pretty much like a public key so let's try to find encrypt id again we can use freedom and this time we will look for another function encrypt order and let's see if this triggers up of course it's time to click on an order this function is called again we want to see exactly the input of this function in order to better identify what it does and how it works and we can edit this file and if we monitor the function hopper will see that it takes three arguments so we will log the second and the third one let's go back let's say click on five we see that we have an integer here and the public key

if we click on order three you can see that there is three and the public key is the same so it's pretty safe to assume that this function takes as an input the order id and encrypted with this public key which was provided by the server so the server must have the private key in order to decrypt this so back to the presentation so after the demo we now know the what so we know that the signature parameter is a status 56 house of the session the encrypted id the time and the sort value and the encrypted id is an rsa is an encrypted integer with the public rsa key so we continue the questions and now in

order in with the how so how can we recreate these values the application does and in order to fully test the back end we need to create them as well we can use custom scripts for example python or whichever language we like but uh the thing is that this might get a little bit tiring we can generate the strings copy them from the terminal paste them in verb and go like this it will work but there's definitely faster ways another way we can use frida trace and in a similar way that we traced these values we can also replace them since frida allows us to use javascript so we can easily write some javascript code and replace for

example the ledger value of 1 with something other that we prefer but again this is not the best time efficient solution and we can use some more help this time we can use the burp plugin named python scripter you can find the source code in the link below and a short description of what a python scriptor does is it allows us to execute custom python scripts on http packets goes both in requests and responses so when we send an http request via burp then this goes into the python scripter it our script makes any modification in the http packet that we like and then after done it can send it to the server of course this goes both ways so we can

take an http response from a server use a python script in order to modify any value we like and then this shows up to burp modified we will see exactly how python scripter will help us in the following demo so we first go of course to install the python scriptor you can find it in the verb app store and once installed we will see another tab in the script is where our custom python code will go a simple way to see how python script works is to use a simple python script this is a bear a minimum python script which all it does is takes the body of the request and prints it so by sending this request again going

into our extensions and our output we see that python script scripture has locked our entire body now of course what we want to do is a little bit more complex what we want it's time to do is have the session the encrypted id and the date time concur it with the salt and generate a new signature and replace that new signature with the current one and here's an example script that will do that once we load the bootie check that if the signature string is inside we check the json parameter we set it to empty we use the result which will have to get each time we log in and the message sign would be

the session then you keep the id the day time plus the salt so all we need to do is use the consult that our session has and we can find this by going of course at the login

by pasting this descriptor and see we remove the signature and we see that indeed we have a response back and to make sure what we tried before for example changing one simple value which return the signature error now does indeed come back so this allows us now to tamper with all the parameters and have a valid signature generated each time and now we have to see what we can do with the encrypted id so the process will be again of course similar we know what we have to encrypt we know uh how to encrypt it we just need to place it in a more uh readable way here which we can which can help us

in our testing so in order to encrypt the id we will use a similar script what our script will do

is actually call an external script and this is because the jython in burp doesn't allow us to call specific functions our encrypter script let's go like this and since our jython does not have the crypto library we'll have to use an external script like this using the public key and encrypted its first argument and printing that our python script will run this external script the path file and provide it with encrypt id and then you will get the uncubed id and replace it in the request we can see if this works by using the script and we have already blank signature and we'll try to replace the encrypted id with the actual integer we had

order id3 so let's try three here and as you can see we have back the order if we try five we'll check other five so what happens here is with our script we have a blank signature and an integer here and what happens is we call by a python scripter an external script get the encrypted id replace it here even though we cannot see it and then go and generate a new signature for its encrypted for its new encrypted id and since burp is doing all the hard work here we can try one more thing and see if our life will be easier

and use this request instead of five why not use sql map here and see if it does identify any scale

injection

and as you can see now result sql mapped it indeed file in spl injection of course you can play with other parameters of sql map but since burp is doing all the hard work we can easily use other tools and make our life even more easier

so this is the presentation thank you so much for your attention and for viewing this uh i'm sure that it might have seemed a little bit fast but thankfully this is a video so you can probably go back and forth and look at the points you want to revisit of course if you have any questions please address them and i'll be happy to answer them once again thank you for your time and everyone take care