Unlocking the Apps

Transcript

1. Unlocking the apps

2. Swipe Left For Identity Theft 1 1

3. 2 2

4. Unlocking the apps Tim Perry - @pimterry 3 3

5. HTTP Toolkit httptoolkit.com tim @ httptoolkit.com 4 4

6. Alternatives: Mitmproxy Proxyman Fiddler Proxy Charles Proxy 5 5

7. Our phones are powerful and deeply personal 6 6

8. What are we interested in? 1. Where does the app's

   data come from? 2. Where is your data going? 7 7

9. APIs Application Programming Interface 8 8

10. HTTP 9 9

11. HTTP Clients and Servers Requests and Responses 10 10

12. HTTP Requests Method (verb) URL (address) http :// shop.example.com /books/list

    ?sort=price&lang=en Headers (metadata) Body (actual content) 11 11

13. Example request GET https://images.dataharvest.com/2026/my-image Accept: image/jpeg,image/png User-Agent: my-app/version-1.2.3 12 12

14. HTTP Responses Status code (overall status, e.g. 200 or 404)

    Headers (metadata) Body (actual content) 13 13

15. Example response 200 OK Content-Type: image/jpeg Content-Length: 100000 [an image

    body] 14 14

16. HTTP Examples Request POST https://example.com/chat/123/send-message Content-Type: application/json 15 15

17. HTTP Examples Response 200 OK Content-Type: application/json 16 16

18. JSON 17 17

19. HTTPS 18 18

20. The internet is other people's computers 19 19

21. HTTPS = HTTP + TLS HTTP, with encryption 20 20

22. TLS TLS depends on a system of trust Trust is

    powered by 'certificates' If we want to read or modify HTTPS, the client needs to trust our certificates. 21 21

23. Let's have a go 22 22

24. Back to apps Transferring data (JSON) not content (HTML) More

    predictable & consistent traffic More active communication More data formats: JSON, XML, Base64, Protobuf Harder to set up 23 23

25. Let's look at an app 24 24

26. Advertising and data brokers 25 25

27. X-Mode Social 26 26

28. 27 27

29. 28 28

30. Let's look at some leaks 29 29

31. What about scraping? 30 30

32. Parler 31 31

33. GET https://api.parler.com/v1/post?id=12345 32 32

34. GET https://image-cdn.parler.com/0/0/0003KEo2Td.jpeg All EXIF data included. 33 33

35. 34 34

36. Let's scrape some data 35 35

37. Things to watch out for Rate limiting (429) Cookie/authentication lifespan

    Legality (especially if not publicly accessible) 36 36

38. How do you set this up? 37 37

39. Mobile set up 1. Redirect the data 2. Trust interception

    certificate 38 38

40. iOS setup Redirect the data Wifi [Your Wifi] Configure proxy

    Manual Add your computer's IP and proxy port 39 39

41. iOS setup Trust the certificate 1. Download the certificate to

    your phone 2. Settings => General => VPN & Device Management => [Name] => Install 3. Settings => General => About => Certificate Trust => Enable 'Full Trust' httptoolkit.com/docs/guides/ios/ 40 40

42. iOS setup Limitations Manual setup Requires a real phone Advanced

    tricks are very difficult and often require jailbreaking 41 41

43. Android setup Redirect the data Device proxy settings: Internet settings

    [Your Wifi] Edit icon Advanced Options Proxy: Manual Or use a custom VPN app 42 42

44. Android setup Trust the certificate 1. Manually installed user certificates

    2. Automatically installed system certificates, with root 3. Advanced tricks: Frida or app patches 43 43

45. Android setup Emulator or rooted device? Emulators are free &

    easy, good starting point Some apps will detect emulators and block or behave differently No Google Play store = manual app install Physical rooted devices are faster & more representative Rooted device setup is more complicated (but one-off) 44 44

46. Emulator setup 1. Install 'Android Studio' 2. Create an emulator

    3. Use anything but 'Google Play' models to get root access 4. Tools like HTTP Toolkit can now automatically do all setup 45 45

47. Rooted device Buy a test phone (e.g. Fairphone 5) Use

    'Magisk' (many guides on Youtube) github.com/topjohnwu/Magisk Tools like HTTP Toolkit can now automatically do all setup 46 46

48. What is ADB? Android Device Bridge Installed with Android Studio

    Usable to remotely control the device/emulator Allows other software to set up your device You can use it yourself to automate devices, install apps, etc 47 47

49. Setup Recap Set up a proxy tool to intercept traffic

    (HTTP Toolkit or others) Set up a device: redirect traffic & trust your certificate Open your app Explore traffic for leaks Explore APIs for scraping 48 48

50. Advanced tricks 49 49

51. Certificate unpinning Not all apps will trust your certificate when

    they're told to Some apps 'pin' the expected certificate You'll see certificate errors in your proxy tool If this happens, you need to change how the app works 50 50

52. App patching Mostly Android-only (possible but much harder on iOS)

    Apps are delivered as 'APK' files Or XAPK (just a zip of APKs) Manual installation possible on emulators or real devices We can look inside the APK We can modify the APK 51 51

53. App patching APK MITM Takes an APK, automatically modifies it

    to disable lots of protections & restrictions for you. https://github.com/niklashigi/apk-mitm 52 52

54. App patching JADX 53 53

55. App patching JADX Download APK (e.g. from APKMirror.com or APKPure.com)

    Launch JADX Select the APK and wait Search the contents for interesting text and follow ids & references from there httptoolkit.com/blog/android-reverse-engineering 54 54

56. App patching Frida Allows external changes to the app's code

    while it's running Requires a rooted/jailbroken device, or patching the APK Lots of scripts available github.com/httptoolkit/frida-interception-and-unpinning/ Can enable interception in difficult cases Can expose data & internal logic directly 55 55

57. Unlocking the apps Tim Perry - @pimterry httptoolkit.com 56 56