Before we begin, a primer on SSL certificates!
SSL Certificate Basics
Certificates are used in the communication of data through HTTPS. When a SSL/TLS connection is initiated, the server sends over a public key (the certificate), which the client can use to encrypt data such that only the server can decrypt (with its private key). They can be self-signed, or be signed by a certificate authority.
A Certificate Authority is a sort of register / arbiter that dictates whether a given certificate should be trusted. By trusting a CA, we automatically trust any certificate that is signed by that CA. This allows new websites on the internet to automagically cater for secure connections.
Network Security Configurations on Android
A Certificate Authority Store is glorified way of saying a collection of CA certificates on your device. On Android there exists several stores - a system store (officially/globally trusted) and a user store (which we can add our own CA certificates into!)
With the introduction of Android 7, a network security configuration policy was introduced that applications could configure to change how they interact with stores - i.e. should the application trust CA certs in the user store?
Additionally, some applications such as Firefox for Android manage their own CA store, and thus disregard the system/user stores. These applications require patching in order to utilise user CA certs. FYI - Firefox Nightly allows you to to add your own CA certs
With each iteration of Android (amongst other pieces of software too), bugs are fixed and more security features are added - however this makes it harder to reverse engineer apps when we want to figure out how they work / what they do over the internet!
HSTS… Certificate Pinning… Network Security Configurations… and with the not-so-recent release of Android 11, a further lockdown on how Android applications interact with the device’s CA store.
Android 11 stunts the ability for debugging and proxy tools to operate, as their CA certificates must be manually installed - not even the official Android Debugging Bridge (ADB) tool can do it… on a forensics / reverse engineering point of view.
Read more here: Android 11 tightens restrictions on CA certificates
That said, this isn’t much of an issue since we’ll be going way more hands-on than a simple end-user..
HSTS? Certificate Pinning?
HSTS - HTTP Strict Transport Security
A way to tell browsers to “only ever access this site via HTTPS”, as to prevent HTTP downgrade attacks (where a client is maliciously tricked into making HTTP requests that are easier to sniff)
Certificate Pinning
The association of a site with a specific SSL certificate, such that forged or malicious certificates will not be accepted by the client
What does this mean for us (a prospective developer wanting to figure what requests an application is sending to the internet)?
Tools like mitmproxy - an interactive HTTPS proxy and Burp Suite - Application Security Testing Software rely on applications to trust a untrusted (self-signed) CA certificate in order to analyse HTTPS traffic on the device. With the introduction of networking security configurations in Android 7, applications will only trust a CA certificate in the user store if explicitly configured to do so…
There are however, always ways around things!
- Move our CA cert into the system store (requires root access)
- Patch the application to trust our CA certificate
We also have to jump through some other security hurdles…ish.
- Certificate Pinning - We need to disable this in order for an application to trust our user CA certs!
- HSTS - Not an issue if we’re going to be decoding HTTPS packets anyway
This is where I introduce this project I found a while back whilst researching some stuff for my thesis
apk-mitm
This program automatically patches the APK file of an Android application to allow the user CA store to be trusted (so we can use a proxy), as well as the removal of certificate pinning policies (which would otherwise interfere HTTPS proxy operations).
Compared to the root method of moving the CA certificate into the system store - the apk-mitm program functions with unrooted devices like my personal phone; which needs to be unrooted in order to to utilise some secure functionality / play Pokemon Go. Xposed (mod framework) doesn’t always work with every app, so I prefer my phone to be vanilla.
Once a proxy has been set up, whether that be mitmproxy, Burp Suite, Charles, etc… we can change the proxy settings of our network connection on the Android device to point to the proxy - and we should be up and running, receiving requests!
Why aren’t you using a dummy phone / AVD?
Just don’t get hacked™️
If I was doing some security assessment I would, for low risk stuff I’m happy to use my own phone!