I installed mitmproxy on centos7 to capture a network packet of an APP in Android7.0, and the result met my expectations.
But I want to install mitmproxy directly on Android7.0. In theory, I can directly capture data packets on the mobile side, and then send the data to the remote database through python.
In this way, I can save a centos device. In addition, my mitm proxy must support TLS 1.3, I tried many methods and tools, but none of them worked.
I want to know if there are suitable technical solutions. Thank you in advance.
Related
I used Charles Proxy before, which can modify the data received by a browser, so it is really convenient that we can test our bug fixes without modifying the production server, either for the webpage content or for the AJAX data.
Is it possible to do something similar for a mobile phone app, either for iPhone and Android phones? I can let the Mac (or probably a PC too) act as a Wifi station (access point) and let the mobile phone connect to it, and is there an app that can act like Charles Proxy (perhaps Fiddler?) that can examine and modify data?
#nopole If you are using Charles, I suppose you can use Breakpoint feature to intercept and edit HTTP requests/responses coming from/to your mobile devices. It works for both browsers and mobile devices. Or else you can try using Proxyman. It's a native macOS app and quite similar to Charles/ Fiddler. You can read an example of how to use the Breakpoint to manipulate data here. Hope it helps! :)
I can intercept packets on a device with root with tcpdump and netcat, but I encounter problems with decrypting TLS packets with wireshark.
Is there a way in my android device to share decryption keys when an https connection is established? Do you know any apps?
Is there anything that allows me to create SSLKEYLOGFILE in android like in windows? Or something that allows me to decrypt the app data of my device. I've already tried frida and proxy for SSL pinning but it doesn't work on some apps.
Thank you so much for the help and I'm sorry for my English
I am looking for an existing library to establish a connection between any smartphone(android/ios/win phone) and a web page.
Sort of what whatsapp is using (https://web.whatsapp.com/), with authentication.
Once the connection is established, i will have to send real time data ( audio and text) from the phone to the pc.
I suppose that whatsApp use a server to relay the data. i dont mind doing the authentication with the help of a server but once the connection is ok,I prefer to do all the communication on wifi instead of sending data from the phone to a server and sending it back to the web page on the pc.
Thanks!
When you want to solve a particular problem which is already solved, You don't want to reinvent the wheel(especially in web) but use the existing solution.
What you are looking for is WebRTC. Fits exactly for your use case. But i am not sure about the development efforts required for this.
There are Client libraries in almost all languages. A quick search gave this for Android
And i am not sure about the device support you are expecting, check Caniuse?
Also have a look at WiFi-p2p for android.
UPDATE:
check this webrtc website for cross platform development support and examples.
There is no real "best" way of doing this, but you have to have a server of some type running on your computer. From there you can use normal network requests from Android to communicate with your computer as long as they are on the same network (WiFi). https://developer.android.com/training/basics/network-ops/connecting.html
I have an application on an Android phone(emulator) which sends a https request. How I can see that request?
That is easily possible with a software such as Fiddler or Charles. They have an inbuild SSL server that will position itself in between the app and the server. It is kind of a "Man-in-the-Middle" attack, just that you are only attacking yourself.
After installing the software on your PC you will have to set the IP adress of this PC as proxy server in Android. And secondly you will have to install the Root Certificate that the software is using on your Android device.
As you are not braking any encryption and not reverse engineering any application here, I don't think this will classify as illegal. And as you need to have physical access to the device, you also cannot spy on anyone else than yourself.
If you are communicating with your own server, and you have access to its private key, you can use Wireshark to capture packets and have it decrypt the HTTPS traffic. If you are trying to reverse engineer someone else's app, this may or may not be legal and generally cannot be done.
I'm writing an Android app that communicates via HTTPS with a server application. On the server side, I have to be absolutely sure about the Android app's integrity. This means that the server app needs to be sure that it's communicating with the Android app that I developed and not with a re-written one (e.g. after decompiling the original app or after having rooted the device).
Is there a possibility to ensure that? Maybe there is a possibility with the signature of the apk file?
Any hint is appreciated.
Regards,
Peter
You are trying to address a known problem:
You can never trust an application on an open device (mobile phone, desktop computer). In order to trust it, it should be tamper proof. An example of such device is a SmartCard. Mobile devices are certainly not it.
You should never send data to device that user is not supposed to see. The implication of this is that all business logic must be done on the server.
All requests to the server should be authenticated with user's credentials (username/password) and made via a secure protocol (HTTPS/SSL).
No way. Whatever is in user's hands, is not yours anymore. Even if you somehow manage to transfer the APK to the server for validation, nothing prevents the hacked program send an original copy to the server.
In order to validate that your software is running, the client devices need to be able to provide remote attestation services, which is one of many piles of acronyms in the TPM world. I found that someone has been working on providing TPM services, including IBM's IMA, which is almost good enough for what you want.
Details here: http://www.vogue-project.de/cms/upload/vogueSoftware/Manual.pdf (Google Quickview).
Of course, this is emulating the TPM, and requires patching the Android kernel. But perhaps one of the various manufacturers would be willing to build a model with the TPM hardware included for you?