Dynamic analysis by using an interception proxy can be straight forward if standard libraries are used in the app and all communication is done via HTTP. But there are several cases where this is not working:

• If mobile application development platforms like Xamarinare used that ignore the system proxy settings;

• If mobile applications verify if the system proxy is used and refuse to send requests through a proxy;

• If you want to intercept push notifications, like for example GCM/FCM on Android;

• If XMPP or other non-HTTP protocols are used.

In these cases you need to monitor and analyze the network traffic first in order to decide what to do next. Luckily, there are several options for redirecting and intercepting network communi- cation:

• Route the traffic through the host computer. You can set up host computer as the network gateway, e.g. by using the built-in Internet Sharing facilities of your operating system. You can then useWiresharkto sniff any traffic from the mobile device.

• Sometimes you need to execute a MITM attack to force the mobile device to talk to you. For this scenario you should considerbettercapor use your own access point to redirect network traffic from the mobile device to your host computer (see below).

• On a rooted device, you can use hooking or code injection to intercept network-related API calls (e.g. HTTP requests) and dump or even manipulate the arguments of these calls. This eliminates the need to inspect the actual network data. We’ll talk in more detail about these techniques in the “Reverse Engineering and Tampering” chapters.

• On macOS, you can create a “Remote Virtual Interface” for sniffing all traffic on an iOS device.

We’ll describe this method in the chapter “Basic Security Testing on iOS”.

Simulating a Man-in-the-Middle Attack with bettercap Network Setup

To be able to get a man-in-the-middle position your host computer should be in the same wireless network as the mobile phone and the gateway it communicates to. Once this is done you need the IP address of your mobile phone. For a full dynamic analysis of a mobile app, all network traffic should be intercepted.

MITM Attack

Start your preferred network analyzer tool first, then startbettercapwith the following command and replace the IP address below (X.X.X.X) with the target you want to execute the MITM attack against.

$ sudo bettercap-eval"set arp.spoof.targets X.X.X.X; arp.spoof on; set arp.spoof.internal true; set arp.spoof.fullduplex true;"

bettercap v2.22(built for darwin amd64 with go1.12.1)[type'help'for a list of commands]

[19:21:39] [sys.log] [inf] arp.spoof enabling forwarding

[19:21:39] [sys.log] [inf] arp.spoof arp spoofer started, probing 1 targets.

bettercap will then automatically send the packets to the network gateway in the (wireless) net- work and you are able to sniff the traffic. Beginning of 2019 support for full duplex ARP spoofing was added to bettercap.

On the mobile phone start the browser and navigate to http://example.com, you should see output like the following when you are using Wireshark.

If that’s the case, you are now able to see the complete network traffic that is sent and received by the mobile phone. This includes also DNS, DHCP and any other form of communication and can therefore be quite “noisy”. You should therefore know how to useDisplayFilters in Wireshark or knowhow to filter in tcpdumpto focus only on the relevant traffic for you.

Man-in-the-middle attacks work against any device and operating system as the attack is executed on OSI Layer 2 through ARP Spoofing. When you are MITM you might not be able to see clear text data, as the data in transit might be encrypted by using TLS, but it will give you valuable information about the hosts involved, the protocols used and the ports the app is communicating with.

Simulating a Man-in-the-Middle Attack with an access point Network Setup

A simple way to simulate a man-in-the-middle (MITM) attack is to configure a network where all packets between the devices in scope and the target network are going through your host computer. In a mobile penetration test, this can be achieved by using an access point the mobile devices and your host computer are connected to. Your host computer is then becoming a router and an access point.

Following scenarios are possible:

• Use your host computer’s built-in WiFi card as an access point and use your wired connection to connect to the target network.

• Use an external USB WiFi card as an access point and use your host computer’s built-in WiFi

• Use a separate access point and redirect the traffic to your host computer.

The scenario with an external USB WiFi card require that the card has the capability to create an access point. Additionally, you need to install some tools and/or configure the network to enforce a man-in-the-middle position (see below). You can verify if your WiFi card has AP capabilities by using the commandiwconfigon Kali Linux:

iw list|grep AP

The scenario with a separate access point requires access to the configuration of the AP and you should check first if the AP supports either:

• port forwarding or

• has a span or mirror port.

In both cases the AP needs to be configured to point to your host computer’s IP. Your host computer must be connected to the AP (via wired connection or WiFi) and you need to have connection to the target network (can be the same connection as to the AP). Some additional configuration may be required on your host computer to route traffic to the target network.

If the separate access point belongs to the customer, all changes and configurations should be clarified prior to the engagement and a backup should be created, before making any changes.

Installation

The following procedure is setting up a man-in-the-middle position using an access point and an additional network interface:

Create a WiFi network either through a separate access point or through an external USB WiFi card or through the built-in card of your host computer.

This can be done by using the built-in utilities on macOS. You can useshare the internet connection on Mac with other network users.

For all major Linux and Unix operating systems you need tools such as:

• hostapd

• dnsmasq

• iptables

• wpa_supplicant

• airmon-ng

For Kali Linux you can install these tools withapt-get:

apt-get update

apt-get install hostapd dnsmasq aircrack-ng

iptables and wpa_supplicant are installed by default on Kali Linux.

In case of a separate access point, route the traffic to your host computer. In case of an external USB WiFi card or built-in WiFi card the traffic is already available on your host computer.

Route the incoming traffic coming from the WiFi to the additional network interface where the traffic can reach the target network. Additional network interface can be wired connection or other WiFi card, depending on your setup.

Configuration

We focus on the configuration files for Kali Linux. Following values need to be defined:

• wlan1 - id of the AP network interface (with AP capabilities),

• wlan0 - id of the target network interface (this can be wired interface or other WiFi card)

• 10.0.0.0/24 - IP addresses and mask of AP network

The following configuration files need to be changed and adjusted accordingly:

• hostapd.conf

# Name of the WiFi interface we use interface=wlan1

# Use the nl80211 driver driver=nl80211 hw_mode=g channel=6 wmm_enabled=1 macaddr_acl=0 auth_algs=1

ignore_broadcast_ssid=0 wpa=2

wpa_key_mgmt=WPA-PSK rsn_pairwise=CCMP

# Name of the AP network ssid=STM-AP

# Password of the AP network wpa_passphrase=password

• wpa_supplicant.conf

network={

ssid="NAME_OF_THE_TARGET_NETWORK"

psk="PASSWORD_OF_THE_TARGET_NETWORK"

}

• dnsmasq.conf

interface=wlan1

dhcp-range=10.0.0.10,10.0.0.250,12h dhcp-option=3,10.0.0.1

dhcp-option=6,10.0.0.1 server=8.8.8.8 log-queries log-dhcp

listen-address=127.0.0.1

MITM Attack

To be able to get a man-in-the-middle position you need to run the above configuration. This can be done by using the following commands on Kali Linux:

# check if other process is not using WiFi interfaces

$ airmon-ng check kill

# configure IP address of the AP network interface

$ ifconfig wlan1 10.0.0.1 up

# start access point

$ hostapd hostapd.conf

# connect the target network interface

$ wpa_supplicant-B -iwlan0-cwpa_supplicant.conf

# run DNS server

$ dnsmasq-Cdnsmasq.conf-d

# enable routing

$ echo 1>/proc/sys/net/ipv4/ip_forward

# iptables will NAT connections from AP network interface to the target network interface

$ iptables--flush

$ iptables--tablenat--appendPOSTROUTING--out-interfacewlan0-jMASQUERADE

$ iptables--appendFORWARD--in-interfacewlan1-jACCEPT

$ iptables-tnat-APOSTROUTING-jMASQUERADE

Now you can connect your mobile devices to the access point.

Network Analyzer Tool

Install a tool that allows you to monitor and analyze the network traffic that will be redirected to your host computer. The two most common network monitoring (or capturing) tools are:

• Wireshark(CLI pendant: TShark)

• tcpdump

Wireshark offers a GUI and is more straightforward if you are not used to the command line. If you are looking for a command line tool you should either use TShark or tcpdump. All of these tools are available for all major Linux and Unix operating systems and should be part of their respective package installation mechanisms.

Setting a Proxy Through Runtime Instrumentation

On a rooted or jailbroken device, you can also use runtime hooking to set a new proxy or redirect network traffic. This can be achieved with hooking tools likeInspeckageor code injection frame- works like Frida and cycript. You’ll find more information about runtime instrumentation in the

“Reverse Engineering and Tampering” chapters of this guide.

Example - Dealing with Xamarin

As an example, we will now redirect all requests from a Xamarin app to an interception proxy.

Xamarin is a mobile application development platform that is capable of producingnative Android andiOS appsby using Visual Studio and C# as programming language.

When testing a Xamarin app and when you are trying to set the system proxy in the Wi-Fi settings you won’t be able to see any HTTP requests in your interception proxy, as the apps created by Xamarin do not use the local proxy settings of your phone. There are three ways to resolve this:

• 1st way: Add a default proxy to the app, by adding the following code in theOnCreate or Mainmethod and re-create the app:

WebRequest.DefaultWebProxy =newWebProxy("192.168.11.1",8080);

• 2nd way: Use bettercap in order to get a man-in-the-middle position (MITM), see the section above about how to setup a MITM attack. When being MITM you only need to redirect port 443 to your interception proxy running on localhost. This can be done by using the command rdron macOS:

$ echo"

rdr pass inet proto tcp from any to any port 443 -> 127.0.0.1 port 8080

"|sudo pfctl-ef -

• For Linux systems you can useiptables:

sudo iptables-tnat-APREROUTING-ptcp--dport443-jDNAT--to-destination127.0.0.1:8080

• As last step, you need to set the option ‘Support invisible proxy’ in the listener settings of Burp Suite.

• 3rd way: Instead of bettercap an alternative is tweaking the /etc/hosts on the mobile phone. Add an entry into /etc/hosts for the target domain and point it to the IP address of your intercepting proxy. This creates a similar situation of being MiTM as with bettercap and you need to redirect port 443 to the port which is used by your interception proxy. The redirection can be applied as mentioned above. Additionally, you need to redirect traffic from your interception proxy to the original location and port.

When redirecting traffic you should create narrow rules to the domains and IPs in scope, to minimize noise and out-of-scope traffic.

The interception proxy need to listen to the port specified in the port forwarding rule above, which is 8080.

When a Xamarin app is configured to use a proxy (e.g. by usingWebRequest.DefaultWebProxy) you need to specify where traffic should go next, after redirecting the traffic to your intercepting proxy. You need to redirect the traffic to the original location. The following procedure is setting up a redirection inBurpto the original location:

1. Go toProxytab and click onOptions

2. Select and edit your listener from the list of proxy listeners.

3. Go toRequest handlingtab and set:

• Redirect to host: provide original traffic location.

• Redirect to port: provide original port location.

• Set ‘Force use of SSL’ (when HTTPS is used) and set ‘Support invisible proxy’.

CA Certificates

If not already done, install the CA certificates in your mobile device which will allow us to intercept HTTPS requests:

• Install the CA certificate of your interception proxy into your Android phone > Note that starting with Android 7.0 (API level 24) the OS no longer trusts a user supplied CA certificate unless specified in the app. Bypassing this security measure will be addressed in the “Basic Security Testing” chapters.

• Install the CA certificate of your interception proxy into your iOS phone

Intercepting Traffic

Start using the app and trigger its functions. You should see HTTP messages showing up in your interception proxy.

When using bettercap you need to activate “Support invisible proxying” in Proxy Tab / Options / Edit Interface