This post is the first of the series on how to make your Android App more secure. This post will show you how to inject MITM proxy into an Android app to sniff all the outgoing and incoming API calls from a compiled and signed mobile apps.
So far, mobile apps have been deeply integrated with our day to day life. From ordering lunch, binge-watching tv shows, and calling a ride back home can be done within our mobile phone. Generally, on an Android developer’s work, we focused mainly on making the UI/UX delightful and user-friendly. Sadly sometimes we often forgot one vital thing: how to make our apps secure.
What is MITM?
First, what is MITM? MITM stands for Man-in-the-middle, where somewhat already explains a little bit how to perform this attack. Imagine if your App is connected to the API via the wifi, and maybe someone can peek or perhaps alter all incoming and outgoing network packages.
The first line of defense against MITM is by using HTTPs instead of cleartext HTTP. HTTPs will encrypt all the incoming and outgoing communication, making it harder for the sniffer to translate the message.
To read the package, the attacker will need to open the package and rewrap it with a different certificate. Once the package reaches our mobile apps, we will get notified if that the warranty has tampered, and most of the time, our browser or HTTP Client will block it. But it is possible to bypass that mechanism by tampering the target apps a little bit.
MITM Proxy Tools
First, let’s install our MITM proxy, there are plenty of selections:
In this post, we will be using HTTP Toolkit. We can follow the official guidelines to install and setup HTTP Toolkit.
And for the target victim apps that we will tamper to sniff all the network requests, we will be using the open-source project from https://github.com/esoxjem/MovieGuide which are brilliantly built by the developer to showcase Android MVP architecture, Dagger, and RxJava. After cloning the repo, I will create the Apk with the release version and then sign the apk.
Then let’s start our emulator and attach the HTTP Toolkit to the emulator. You can go to the menu Intercept and simply choose to intercept an Android device that is connected through adb, then HTTP Toolkit will handle the rest.
If you are using Mitmproxy or Charles proxy, you will need to point your wifi/emulator proxy to local proxy with the predefined port; AFAIK for MITM proxy is 8080 and Charles is 8888. But please check the official documentation to make sure of it. Afterward, open your browser and go to https://chls.pro/ssl for Charles Proxy or https://mitm.it for MITM Proxy. Then it will download a certificate that you need to install.
Once the MITM proxy is set, we can go to the emulator’s browser and simply go to google. If it works, we can see the network request and response in our proxy tools. Some proxy will have HTTPS / SSL sniffing turned off by default, so you will need to turn it on and ensure that you already can see HTTPS traffic response from the browser in your Proxy tools.
Tampering APK to sniff the network package
Then we can try to install the movie app in our emulator and test the App, and we will see that it will block the connection.
To enable HTTPs sniffing in the target App, we will need to alter the apk. First, install Apktool by following the official documentation here https://ibotpeaches.github.io/Apktool/install/.
After Apktool is installed, then we can decompile the signed apk of our movie App by typing this command: apktool d <path-to-apk-file>
If the decompilation is a success we can see the folder as below
Then we can navigate to the folder res and try to find xml folder. If it doesn’t exist, then we need to create one. Then inside the xml folder, add a network configuration file like below.
<?xml version="1.0" encoding="utf-8"?> <network-security-config> <base-config> <trust-anchors> <!-- Trust user added CAs while debuggable only --> <certificates src="user" /> </trust-anchors> </base-config> </network-security-config>
If the apk already has a network config file, we need to ensure we have these codes inside the configuration.
<base-config> <trust-anchors> <!-- Trust user added CAs while debuggable only --> <certificates src="user" /> </trust-anchors> </base-config>
Afterward, we need to wire the network configuration to the application by adding these codes inside the application tag settings in AndroidManifest.xml
Then head back to the command-line and rebuild the tampered folder to a new apk.
Then generate a new Keystore to sign the apk by using this command below and follow through the instruction
keytool -genkey -v -keystore bird-ac.keystore -alias birdac -keyalg RSA -keysize 2048 -validity 99
After Keystore is created, then we sign the APK with the command below and enter the alias and password that you use when generating the keystore
apksigner sign --ks bird-ac.keystore <path-to-tampered-apk-file>
If your command prompt didn’t have apksigner yet, you could add the path to apksigner in your env path. It usually located inside this folder build-tools/<build tools version> in your Android SDK home.
Then we can install the tampered APK in the emulator (you might need to remove the previously installed App first)
Now, if we open the App, we can see the network request in our proxy tools. Now, we already successfully tampered an app to inject MITM proxy without having the source code.
Why is this a security hole for App developer?
Why is it dangerous? For example, in this Movie App, we need to set the API key to hit the backend. If people can sniff the network, they can steal the key easily. Besides, analyzing the network request and response is the first step in reverse engineering the whole App, and by doing so, the attacker might find some security hole in our backend. Or maybe they might steal your application’s data and content and use your key to access your third party services. The possibilities are limitless, so it is best to try to secure our Android Apps as much as possible.
Stay tuned to the second part where I will highlight the step that you can do to prevent app tampering, and I will list down the things that you can implement to enhance your application’s security.