HTTPS in Android: A false sense of security (Man in the Middle)
Intro
If you ever wondered what API is that shiny new app is using under the hood or wanted to understand how a certain flow in an app works; maybe to bypass/break it 😉, then stick around to find out.
When building Android apps one would generally think that our API transactions are contained only to our app and cannot be seen/modified by other apps given Android’s sandbox mechanism.
I’ll try to demonstrate how pretty much any app’s HTTP/HTTPS traffic can be intercepted/modified on the go and what Android does to counter this.
Note: this will only work on rooted devices or emulators.
Background
As the title says, Man-in-the-Middle, our middle entity would be a Proxy Server which will eavesdrop on the API requests made by the app.
The Proxy Server would relay the traffic coming from the app to the legit server along with any modifications you need to the request or response.
However, some apps are smart enough to know that they are talking to a Proxy Server and will reject the connection immediately using Certificate Pinning.
Certificate Pinning is one of the counters to MITM but can be easily by-passed on Android.
Setup
There are many Proxy Servers to choose from for Android, the most easy to use I would say from the lot is HTTP Toolkit. The setup is a breeze, if you are coming from Charles Proxy or Proxyman etc, you will definitely love the simplicity.
Depending on your OS follow the installation steps for the above.
For the demos our objectives would be to
- intercept requests
- modify requests
We’ll intercept an app which implements Certificate Pinning along with one which does not.
I’ll be running the apps on a Pixel 6 Pro, API 33 emulator (make sure you are running without Play Store module), if you have a rooted device then I’d suggest to use that.
Demo #1, Flipkart
Flipkart does not implement Certificate Pinning making interception of
API traffic very straight forward. (Flipkart APK Download)
Demo #2, Twitter
Twitter takes it a step further and implements Certificate Pinning to make interception difficult. However, as I mentioned earlier it is very easy to by-pass this counter mechanism. (Twitter APK Download)
APK Lab is an awesome tool to reverse engineer Android apps and removing Certificate Pinning is one of its many features.
Conclusion
Given the above, critical business use-cases should have server-side validations to whatever the client sends and vice-versa.
Also, this opens up multiple attack vectors for malicious actors to exploit.
Questions/Suggestions/Improvements are welcome 😄 .
I’m available on Twitter for further queries.
