Analysis and Modification of Mobile Applications Traffic

Transcript

1. Analysis and Modification of Mobile Applications Traffic Oleg Nikiforov

2. whoami Analysis and Modification of Mobile Applications Traffic @ddr3ams #NTD2017

3. Agenda 1. Features of mobile apps traffic 2. HTTP response

   / request structure 3. Sniffers - what is this thing? 4. Why do you need sniffers 5. Why Burp Suite, how it differs from other tools 6. Practice Analysis and Modification of Mobile Applications Traffic @ddr3ams #NTD2017

4. Features of mobile apps traffic - You need special tools

   to display traffic info - Apps send tons of different requests (server, statistics, ads, etc.) - you will have to filter them - Json, xml, html, protobuf, gzip - Apps send requests in background - WiFi/3G/LTE connection Analysis and Modification of Mobile Applications Traffic @ddr3ams #NTD2017

5. Application layer via HTTP/HTTPS Analysis and Modification of Mobile Applications

   Traffic @ddr3ams #NTD2017

6. Request structure: GET method Analysis and Modification of Mobile Applications

   Traffic @ddr3ams #NTD2017

7. Analysis and Modification of Mobile Applications Traffic @ddr3ams #NTD2017

8. Request structure: POST method Analysis and Modification of Mobile Applications

   Traffic @ddr3ams #NTD2017

9. Analysis and Modification of Mobile Applications Traffic @ddr3ams #NTD2017

10. Response structure Analysis and Modification of Mobile Applications Traffic @ddr3ams

    #NTD2017

11. Analysis and Modification of Mobile Applications Traffic @ddr3ams #NTD2017

12. HTTP codes Analysis and Modification of Mobile Applications Traffic @ddr3ams

    #NTD2017

13. Sniffers - what is this thing? Sniffer - a network

    traffic analyzer that decodes the packet's raw data and shows it in a readable manner Commonly used sniffers: Fiddler, Charles Proxy, Burp Suite, TcpCatcher, etc. Analysis and Modification of Mobile Applications Traffic @ddr3ams #NTD2017

14. WHAT FOR??? Analysis and Modification of Mobile Applications Traffic @ddr3ams

    #NTD2017

15. What for: data monitoring without intervention Requests validation: - Url

    - Headers - Parameters (key/value) Response validation: - Headers - Body (format, structure, parameters) Analysis and Modification of Mobile Applications Traffic @ddr3ams #NTD2017

16. What for: manipulating data Time-out simulation Content change in the

    request: • Url, • Parameters values, • Headers values Content change in the response: • Parameters values, • Headers values, • Links to media files (photo, audio, video) Analysis and Modification of Mobile Applications Traffic @ddr3ams #NTD2017

17. Positive scenarios • Change user status in runtime: free/paid, approved/not

    approved: {"username": "user", "id": 30085, "status": "new", "premium": "n"} • Change item id: {"products": [{"title": "Sandwich", "description": "...", "sku": 00004128}]} • Loadmore with custom amount of elements: ◦ quickly check app under load (load a lot of items); ◦ check how end of the list is displayed Analysis and Modification of Mobile Applications Traffic @ddr3ams #NTD2017

18. Negative scenarios • Change parameters values to bypass local validation

    • Raise server errors to check how they are handled in the app: ◦ empty required fields; ◦ invalid data; ◦ invalid authorisation token ◦ redirect to invalid URL • Raise errors in the app by changing server response: ◦ empty required parameters in response; ◦ invalid values (string instead of int, etc.); ◦ invalid response structure Analysis and Modification of Mobile Applications Traffic @ddr3ams #NTD2017

19. Why Burp Suite? Pros and cons: + Free + Scope

    + Handy UI + Multifunctional + Cross-platform (Java application) + Lots of users extensions - Doesn’t allow to change connection settings - Free version doesn’t allow to save/load session (though it allows to export data) Analysis and Modification of Mobile Applications Traffic @ddr3ams #NTD2017

20. Party time! Untappd - social network for fans of beer:

    - Add your own beer - Connect with friends - Check-in and review Why is it useful: - Authorisation - Tables - Images - Easy to understand API Analysis and Modification of Mobile Applications Traffic @ddr3ams #NTD2017

21. Benefits of using sniffers • Ability to emulate connection time-outs

    • Ability to emulate server errors • Ability to manipulate data both in requests and responses Analysis and Modification of Mobile Applications Traffic @ddr3ams #NTD2017

22. Drawbacks of using sniffers • If you turn off sniffer

    while your device is connected through proxy - all requests will fail • Request - response operation takes more time • You need to be twice attentive not to cause app failures ;) Analysis and Modification of Mobile Applications Traffic @ddr3ams #NTD2017

23. Short guide how to connect your device iOS: - WiFi:

    Settings > Network > HTTP PROXY: Manual, Server (your ip) + Port - Mobile: custom mobileconfig file (https://iphone.flexserve.net): custom APN name + Server and Port Android: - WiFi: - Settings > Modify network > Advanced options > Proxy: Manual, Proxy hostname (your ip) + Proxy port - ProxyDroid - Mobile: Settings > Cellular Networks > Access Point Names > edit access point and set Proxy and Port Analysis and Modification of Mobile Applications Traffic @ddr3ams #NTD2017

24. What I didn’t tell you about How to setup Burp

    Suite and install certificate How to bypass defence against MiTM Analysis and Modification of Mobile Applications Traffic @ddr3ams #NTD2017

25. Useful links https://portswigger.net/burp/ https://jsonformatter.curiousconcept.com/ https://jqplay.org/ https://nabla-c0d3.github.io/blog/2015/12/01/burp-ios9-ats/ Analysis and Modification of

    Mobile Applications Traffic @ddr3ams #NTD2017

26. Q&A Skype: navisnobilite Twitter: ddr3ams Github: onikiforov Analysis and Modification

    of Mobile Applications Traffic @ddr3ams #NTD2017