Unlocking the Apps - Speaker Deck

Unlocking the Apps

by Tim Perry

Embed

Start on current slide

Slide 1

Slide 1 text

Unlocking the apps

Slide 2

Slide 2 text

Swipe Left For Identity Theft 1 1

Slide 3

Slide 3 text

2 2

Slide 4

Slide 4 text

Unlocking the apps Tim Perry - @pimterry 3 3

Slide 5

Slide 5 text

HTTP Toolkit httptoolkit.com tim @ httptoolkit.com 4 4

Slide 6

Slide 6 text

Alternatives: Mitmproxy Proxyman Fiddler Proxy Charles Proxy 5 5

Slide 7

Slide 7 text

Our phones are powerful and deeply personal 6 6

Slide 8

Slide 8 text

What are we interested in? 1. Where does the app's data come from? 2. Where is your data going? 7 7

Slide 9

Slide 9 text

APIs Application Programming Interface 8 8

Slide 10

Slide 10 text

HTTP 9 9

Slide 11

Slide 11 text

HTTP Clients and Servers Requests and Responses 10 10

Slide 12

Slide 12 text

HTTP Requests Method (verb) URL (address) http :// shop.example.com /books/list ?sort=price&lang=en Headers (metadata) Body (actual content) 11 11

Slide 13

Slide 13 text

Example request GET https://images.dataharvest.com/2026/my-image Accept: image/jpeg,image/png User-Agent: my-app/version-1.2.3 12 12

Slide 14

Slide 14 text

HTTP Responses Status code (overall status, e.g. 200 or 404) Headers (metadata) Body (actual content) 13 13

Slide 15

Slide 15 text

Example response 200 OK Content-Type: image/jpeg Content-Length: 100000 [an image body] 14 14

Slide 16

Slide 16 text

HTTP Examples Request POST https://example.com/chat/123/send-message Content-Type: application/json 15 15

Slide 17

Slide 17 text

HTTP Examples Response 200 OK Content-Type: application/json 16 16

Slide 18

Slide 18 text

JSON 17 17

Slide 19

Slide 19 text

HTTPS 18 18

Slide 20

Slide 20 text

The internet is other people's computers 19 19

Slide 21

Slide 21 text

HTTPS = HTTP + TLS HTTP, with encryption 20 20

Slide 22

Slide 22 text

TLS TLS depends on a system of trust Trust is powered by 'certificates' If we want to read or modify HTTPS, the client needs to trust our certificates. 21 21

Slide 23

Slide 23 text

Let's have a go 22 22

Slide 24

Slide 24 text

Back to apps Transferring data (JSON) not content (HTML) More predictable & consistent traffic More active communication More data formats: JSON, XML, Base64, Protobuf Harder to set up 23 23

Slide 25

Slide 25 text

Let's look at an app 24 24

Slide 26

Slide 26 text

Advertising and data brokers 25 25

Slide 27

Slide 27 text

X-Mode Social 26 26

Slide 28

Slide 28 text

27 27

Slide 29

Slide 29 text

28 28

Slide 30

Slide 30 text

Let's look at some leaks 29 29

Slide 31

Slide 31 text

What about scraping? 30 30

Slide 32

Slide 32 text

Parler 31 31

Slide 33

Slide 33 text

GET https://api.parler.com/v1/post?id=12345 32 32

Slide 34

Slide 34 text

GET https://image-cdn.parler.com/0/0/0003KEo2Td.jpeg All EXIF data included. 33 33

Slide 35

Slide 35 text

34 34

Slide 36

Slide 36 text

Let's scrape some data 35 35

Slide 37

Slide 37 text

Things to watch out for Rate limiting (429) Cookie/authentication lifespan Legality (especially if not publicly accessible) 36 36

Slide 38

Slide 38 text

How do you set this up? 37 37

Slide 39

Slide 39 text

Mobile set up 1. Redirect the data 2. Trust interception certificate 38 38

Slide 40

Slide 40 text

iOS setup Redirect the data Wifi [Your Wifi] Configure proxy Manual Add your computer's IP and proxy port 39 39

Slide 41

Slide 41 text

iOS setup Trust the certificate 1. Download the certificate to your phone 2. Settings => General => VPN & Device Management => [Name] => Install 3. Settings => General => About => Certificate Trust => Enable 'Full Trust' httptoolkit.com/docs/guides/ios/ 40 40

Slide 42

Slide 42 text

iOS setup Limitations Manual setup Requires a real phone Advanced tricks are very difficult and often require jailbreaking 41 41

Slide 43

Slide 43 text

Android setup Redirect the data Device proxy settings: Internet settings [Your Wifi] Edit icon Advanced Options Proxy: Manual Or use a custom VPN app 42 42

Slide 44

Slide 44 text

Android setup Trust the certificate 1. Manually installed user certificates 2. Automatically installed system certificates, with root 3. Advanced tricks: Frida or app patches 43 43

Slide 45

Slide 45 text

Android setup Emulator or rooted device? Emulators are free & easy, good starting point Some apps will detect emulators and block or behave differently No Google Play store = manual app install Physical rooted devices are faster & more representative Rooted device setup is more complicated (but one-off) 44 44

Slide 46

Slide 46 text

Emulator setup 1. Install 'Android Studio' 2. Create an emulator 3. Use anything but 'Google Play' models to get root access 4. Tools like HTTP Toolkit can now automatically do all setup 45 45

Slide 47

Slide 47 text

Rooted device Buy a test phone (e.g. Fairphone 5) Use 'Magisk' (many guides on Youtube) github.com/topjohnwu/Magisk Tools like HTTP Toolkit can now automatically do all setup 46 46

Slide 48

Slide 48 text

What is ADB? Android Device Bridge Installed with Android Studio Usable to remotely control the device/emulator Allows other software to set up your device You can use it yourself to automate devices, install apps, etc 47 47

Slide 49

Slide 49 text

Setup Recap Set up a proxy tool to intercept traffic (HTTP Toolkit or others) Set up a device: redirect traffic & trust your certificate Open your app Explore traffic for leaks Explore APIs for scraping 48 48

Slide 50

Slide 50 text

Advanced tricks 49 49

Slide 51

Slide 51 text

Certificate unpinning Not all apps will trust your certificate when they're told to Some apps 'pin' the expected certificate You'll see certificate errors in your proxy tool If this happens, you need to change how the app works 50 50

Slide 52

Slide 52 text

App patching Mostly Android-only (possible but much harder on iOS) Apps are delivered as 'APK' files Or XAPK (just a zip of APKs) Manual installation possible on emulators or real devices We can look inside the APK We can modify the APK 51 51

Slide 53

Slide 53 text

App patching APK MITM Takes an APK, automatically modifies it to disable lots of protections & restrictions for you. https://github.com/niklashigi/apk-mitm 52 52

Slide 54

Slide 54 text

App patching JADX 53 53

Slide 55

Slide 55 text

App patching JADX Download APK (e.g. from APKMirror.com or APKPure.com) Launch JADX Select the APK and wait Search the contents for interesting text and follow ids & references from there httptoolkit.com/blog/android-reverse-engineering 54 54

Slide 56

Slide 56 text

App patching Frida Allows external changes to the app's code while it's running Requires a rooted/jailbroken device, or patching the APK Lots of scripts available github.com/httptoolkit/frida-interception-and-unpinning/ Can enable interception in difficult cases Can expose data & internal logic directly 55 55

Slide 57

Slide 57 text

Unlocking the apps Tim Perry - @pimterry httptoolkit.com 56 56