In this example, the app id is - substitute this for the app you want to audit. The user should only be involved in the process to open and interact with the desired app. This allows the auditor, who has a degree of technical proficiency, to be separate from the user, who may have special access to app functionality (such as logging in with their credentials). We will assume there is a third party auditor involved in the setup, who we want to be able to remotely access the device and issue commands. The user should not have to issue any commands themselves to do this. In the setup phase, the intention is to allow the user to launch an app in a way that its traffic can be intercepted. Where there isn’t sufficient documentation available, we’ve gone into further detail and provided screenshots. We breeze through some of the steps below for the sake of brevity, but almost all are well-documented elsewhere. A PC or VM with Linux (we use Debian 11 x86_64 below) for cross-compilation steps during setup.A basic understanding of ipv4 networking.A basic understanding of the Linux command line.The end result will allow the user to open an app in a specialized way that allows the traffic to be logged, without attaching extraneous devices or requiring the device to be connected to any specific network or access point. All of the software required in this post is free of cost and open-source, not requiring an extra penny of investment above and beyond that of the device itself. The device will have to be rooted in order to install the software required for this setup. This post will detail the steps involved to configure an Android device to audit the traffic of any app installed on it, requiring no other device to be physically present. If the app being audited is a form of disciplinary technology – that is, a surveillance app that one person installs on the device of another person – then the auditor will also need to surreptitiously capture traffic being sent by the app, which may pose additional testing complications. In fact, all three components of the previous schema (test device, interceptor, and control device) will need to be consolidated into a single device running the software required for all three components. For these kinds of complex interactions, a roaming Machine-in-the-Middle (MitM) schema is needed. In combination, this device schema provides a powerful setup to analyze traffic in a stationary, controlled setting.īut what if we don’t have the luxury of a testing lab? What if the app behavior changes based on your location, or interaction with the outside world? For instance, if you use an app to rent a car or unlock a door to a shared workplace, the real-time behavior of the app will be different from what you can replicate in a lab. HTTPS traffic can be intercepted in this way by overloading the app calls to Java’s TrustManager and providing our own, which accepts the proxy certificates that we provide. An additional control laptop might be added to the mix, which is connected to the test device via USB, to run adb commands on the device or overload Java methods using the dynamic instrumentation toolkit Frida. A typical setup might involve a test device where the app runs, connected to a wireless access point running mitmproxy, Burp Suite or something similarly tasked with recording traffic. Traditionally, this has been the job of dynamic analysis - running the app and capturing traffic as the user interacts with it. Without knowing exactly what traffic is being sent, you’d never know. An app asking for permission to your location may only use it to send it to your friends, or it may be tracking your every move. In order to audit the privacy and security practices of the apps we use on a daily basis, we need to be able to inspect the network traffic they are sending. Testing described in this post is done at the reader’s own risk and should only be conducted on devices and networks that you have permission to test on. Note: This post provides technical guidance only.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |