Recently, I was trying to test and intercept traffic from an app developed on Rhomobile, I setup a proxy with burp, and of course I have installed burp certificate on my device hence I can intercept other apps on my device but I am unable to see the traffic of the app in question on burp suite instead the app works fine and connects to the remote server without even appearing an error alert of the burp suite. in reversing the app I concluded that it is using https protocol to connect to the server. even typically apps targeting android api level 24 and above, a network_security_config.xml should be specified and in my reversing I created that file and set it its location on manifest file but nothing avail. As other researchers would recommend, tried to sniff network traffic of the app with wireshark by creating windows hotspot and connnecting my device to the hotspot, and activated the capture traffic of the wireshark, I was expecting to sniff or even decide whether app is using other protocols, but did not appear any traffic from the app!.
then these questions pop into my mind I would be very pleased if you can clear it.
1. in general, what am I missing? or where else should I look at?
2. specifically Is an app developed on rhomobile is proxy unaware app?
3. if the issue is associated with certificate pinning, typically the alert tab of the burp suite would have shown it, why the app is working fine and connecting to the server while other apps leave an error in the alert tab of burp suite? if I conclude that it is a proxy unaware app, how can I finally intercept its traffic?
any help would be appreciated.
Thanks,
Related
Here is the deal... I have created a web service (asmx) which is running a long time consuming procedure in a class and returns the result. The web service is served in my local windows 10 IIS connected to the router with port forwarding. The android device connected to the same router (as the iis) accesses the web service in IIS with the outside IP (my router's IP on the internet - for checking purposes). I noticed that the first device accessing the service is served ok but the second delays big time to be served. Checking the net I found that there is a restriction in serving devices from the same IP. I disconnected one of the devices from the WLAN and everything worked as a charm. Both devices were served in the same time. How can I overcome this problem?
Thanks in advance
Searching the Internet I discovered (there are huge chances that I may be wrong) that this might have to do with the default behavior of DotNet framework which locks the session to the first in first served device:
ASP.NET application to serve multiple requests from a single process
and
Android http connection - multiple devices cannot connect the same server
I suppose that my IIS assumes that the attempt to hit the web service from the second device is another attempt by the same device. I also suppose that it assumes the device to be the same device since it is the same application with the same internal environment hitting the web service and it can't tell that they are two different devices. I tried to reproduce this error and check if I am right by hitting the IP reporting page in IIS from two different tabs of the Mozzila Developer edition browser but it works ok (so I am not sure if it is a session issue). I also found a report that the issue is present only in android devices but it was not clear enough if the server was IIS... The solution mentioned was "incorrect flag on the tcp kernel settings - Reuse connection". Does it tell anything to anyone of you?
If the session lock is indeed the problem is there a solution to make IIS distinguish that there are two devices indeed? Is there a setting in IIS that would change this default behavior of DotNet?
I am sure there is a solution (if indeed the issue is session lock) because I uploaded my code to an on-line server and it works perfect when hitting it from two Android devices. So either it is not a session lock issue or there is a setting that it changes this behavior of DotNet in IIS... Is anyone aware of such a setting?
I can proxy almost every application but there are some that won't even make a connection when either the system proxy is set via Wlan -> Modify network config or using the Global Proxy setting from ProxyDroid.
I guess these applications are somehow monitoring that a proxy is used even with ProxyDriod on a rooted phone. The applications work as normal when the proxy is turned off. When turned on the applications are not making a single request, they just return an error code. The error code is identical as if Wifi and Celluar data is turned off.
Sample of applications affected:
BankId
Handelsbanken Privat
Facebook - does not throw an error but no requests are shown. If functions like search are used an error is thrown
Mobile used for proxying:
Samsung Galaxy Note 4 SM-N910F
Android 6.0.1
Rooted using CF-Auto-Root
Burp is used as a proxy listener and has been set up using these guides and normal HTTPS sites works without a warning.
https://support.portswigger.net/customer/portal/articles/1841101-configuring-an-android-device-to-work-with-burp
https://support.portswigger.net/customer/portal/articles/1841102-Mobile%20Set-up_Android%20Device%20-%20Installing%20CA%20Certificate.html
What is the most probable way that these applications check if a proxy is used? Has anyone else experienced this and managed to bypass proxy evasion from an Android App?
It seems the applications does not check for a proxy but rather they check the certificate using SSL pinning, which is really great except for my purpose.
More about certificate pinning.
Here is what I did to get it working:
Install CWM custom recovery. I used this guide for this:
http://www.droidopinions.com/install-cwm-custom-recovery-galaxy-note-4-models/
I then followed this guide to install the Xposed framework:
https://devs-lab.com/download-install-xposed-for-samsung-devices.html
Then I installed JustTrustMe from Github:
https://github.com/Fuzion24/JustTrustMe
After enabeling the module and restarting the phone I could proxy every application without trouble.
Here is a great guide for proxying Android applications:
https://secvibe.com/android-appsec-27855dca8531#.ta66ox3di
Note:
I also tried installing Cydia Substrate from Android Play Store and then install the apk for Android TrustKiller. However this did not work for me. From Cydia Substrate I got the error
"Something about your device made it impossible for substrate to
perform its internal safety check; can you please contact saurik via
e-mail?"
Also Android TrustKiller has not been updated for three years.
Target:
Sending a file to connected peers. The connected peers should recieve the File without a preinstalled app.
Situation - Question:
I'm writing an app that opens WiFi-direct or a WiFi-Hotspot for other devices. The other devices connect to the device (Main-Device) where the App is installed on. Now the Main-Device should broadcast a file and every device connected to the Main-Device should get a notification, that it could receive a file. But, the other devices should not need an App to receive the file!
Is this possible? Cause all I found till now describes how you can send something from one to an other device if both installed the same app. Using sockets and one device becomes server and the other client.
Reason:
I try to create a game, which just is installed on a Main-Device. Other devices can join the game by connecting over WiFi, then they'll receive a HTML5-file from the Main-Device which they can open in their browser. As soon as they have the HTML5-file they'll be able to interact with the game on the Main-Device.
But I don't want to force everybody who likes to join the game to download the app. Another Point is, if this is possible, I don't need to rewrite the app for other systems. Cause every Smartphone/Tablet has a Browser.
But, the other devices should not need an App to receive the file! Is this possible?
No, it isn't.
I try to create a game, which just is installed on a Main-Device. Other devices can join the game by connecting over WiFi
That, is possible. What you need to do is build a captive portal.
Basically, all DNS names resolve to your server's IP address, and all traffic that would be routed elsewhere is not routed to the internet. How you do this depends on your network setup. There is a lot of software available. I've used Untangle before with decent results: https://www.untangle.com/store/captive-portal.html
I'm trying to record browser activities of my Android mobile in Jmeter as explained here. I'm done with all the above settings, but Jmeter is unable to record the traffic.
Is it like, mobile and laptop should be connected to same internet source (wi-fi) or is it like laptop should be made as a hotspot and the we need to connect mobile to the hotspot?
Also, please let me know if anyone has done any other settings than the one mentioned above?
Yes, Mobile device and laptop need to be on the same network in order to have the mobile device use the laptop as an HTTP proxy. You should also turn off cell data (plane mode on an iPhone) to make sure you're not trying to connect via the cell data.
Most of the native android applications fail to connect once the proxy is set , Same goes for few sites as well, The solution is to either manually add API's to the jmetre and test or most probably the connections setting in the application configs needs to be changed in order for jmetre to record the script , This basically seems to be SSL issue and is to secure the apps from accessing data on proxy.For more detail blaze metre documentation shall help
https://guide.blazemeter.com/hc/en-us/articles/360000285357-Recording-Using-Android-Devices-Recording-Using-Android-Devices
We've developed a HTML 5 based solution to replace an old flash based solution for the delivery of video based content. The intention of the upgrade was to escape the grip of flash and allow the service to work on mobile devices.
Everything works great internally and externally on PC's/Mac and iOS. Android however totally fails when connected to the corporate WiFi and we cannot figure out why. The proxy settings are correct and the internet is working.
When trying to view the video and watching with remote debugging the requests just says pending but never actually completes.
Network
The network is totally locked down and there is no direct connection to the internet, all requests go via a http proxy server
Due to this TCP/UDP 5228-5230 is completely blocked so the network indicators are grey however browsing the internet does work.
We have a number of http proxies available (I'm not sure of the software in use) however it doesn't work on any
The proxy rules are pretty relaxed, facebook/youtube/vimeo are all unblocked.
Video's are hosted on Akamai
Video formats available webm and mp4
Failure conditions
Accessing the video directly on Akamai in Chrome on Android. On corporate wifi fail, on 3g/open wifi works
Accessing the video directly on internal IIS 7.5 server in Chrome on Android. On corporate wifi (which still uses the http proxy) works
Accessing the video directly on Akamai in Chrome on Android. On open wifi but with ports 5228-5230 UDP/TCP blocked works
YouTube app in android. On corporate wifi fail, on 3g/open wifi works. This works fine on iOS
Bearing in mind, these services are not blocked in any way by the corporate WiFi, does anyone have any possible ideas as to what would be causing the problem? Any idea's to help debugging the problem?
I have a colleague currently trying shark for android and I'll update the answer if he finds anything useful.
Edit 1
Wireshark of a failed request
Wireshark of a working request
For some reason the SYN ACK is not occurring
Edit 2
We're pretty sure it's this.
https://code.google.com/p/android/issues/detail?id=54132
Cheers
Does your app make use of any the Google Play Services Library. If so that might be the reason.
You mentioned that the network indicators are grey but you can browse the internet. That means that although you have an internet connection, the device is unable to communicate with Google Servers. If your app has to make use of the google play services library, it is most likely contacting google servers to access APIs which may be why your app is failing.
I would have thought though that there would be something in the log cat to indicate a failure accessing the google services. Although I have sometimes seen this happen that although it is unable to connect a timeout response is never returned so it locks so maybe this is what is happing.
If possible it may be worth enabling TCP and UDP port 5228 as this is required to access google servers.
After some research we're pretty sure this is the problem. Hopefully it'll be solved soon.
https://code.google.com/p/android/issues/detail?id=54132