MITM https on Android apps fail in some sessions - Android Q&A, Help & Troubleshooting

Hi,
Been doing some research and somehow some applications do not let me see traffic, even if I change the hardcoded baseurl or endpoint. In mitmproxy It always give me ;
Client Handshake failed. The client may not trust the proxy's certificate for domain.zyx.
<and some hex dump here \x00\x00\x00\x00\ ..>
While other applications do not check this and traffic flows through my mitmproxy. Yes I am running it as transparent mode. In regular mode it does the same but it shows no error, just nothing.
So the variable here is the apk built settings or a import like;
import java.security.cert.Certificate;
?
When I just toss it a test application and my domain with Let's Encrypt it works, so this is not the issue. (Yes the certs of the proxy are installed on the end device).
edit: Digging deeper into the rabbit hole.. okhttp3 seems to be the issue here, it's mitm security prevents it.
Solution seems to be'; https://github.com/ac-pm/SSLUnpinning_Xposed
Any ideas?

Look into frida, it lets you hook any function. So you can bypass cert pinning by hooking certain function.
An app built on top of frida may already help you, try out objection.
https://github.com/sensepost/objection

Related

[Q] i9100 - Disc encyption question

Hi there,
Has any one tested the hardware disc encrytion that Samsung touted pre-launch? Are there any white-papers on how this works?
"Samsung has also taken steps to include Enterprise software for business users, that include On Device Encryption, Cisco’s AnyConnect VPN, MDM (Mobile Device Management), Cisco WebEx, Juniper,[28] and secure remote device management from Sybase.[36]"
Source https://secure.wikimedia.org/wikipedia/en/wiki/Samsung_Galaxy_S_II#Bundled_applications
Regards, F.
I asked on the CM forums, and CM does not have any disc encryption, yet. DOes anyone know about Samsung's offering?
BR.
Shame-less bump, in case some one has bought the i9100 by now and found the encryption option. Any one?
I found this gumpf about it. Its a third party product provided by Sophos.
"Antivirus & Firewall Security for Android Devices with Disk Encryption
SophosWith rising security threats and growing demands for the need of end point protection and data security are growing and so does Sophos comes forward and launches a mobile control which is mainly designed and is developed for smart phones like Android. This product comes with Sophos Anti-virus, Sophos Client Firewall and Sophos Disk Encryption which protects from threats and provides the disk encryption.
Basically, the SOPHOS secures the smart phones by centrally configuring all the security settings and then also it enables the lock down of unwanted features. With strong set of password and security policy it can even control the installation of apps, blocking use of cameras, browsers like You Tube etc. Also, additionally you can easily secure the access to the corporate mail by setting up the registered devices to access the mail.
Sophos Mobile control secures the mobile devices by centrally configuring security settings and enabling lock down of unwanted features. The features like strong password policy and lock period, control and installation of applications and blocking usage of cameras and browsers will help in enabling the enforcement of consistent "
Source: hxxp://androidadvices.com/antivirus-firewall-security-for-android-devices-with-disk-encryption/
galaxy s II I9100 has disk encryption built-in but disabled
I went through the files in initramfs and i found :
1) lots of encryption related strings and error messages in the /init executable
2) /init.rc has an event handler "on property:encryption.bootmode=remount"
3) /res/encryption.conftab - a configuration file that maps directories like /data to /dev/mapper/data to /dev/block/<data block device>
important point is that /init executable contains the name of this file and error messages relevant to the processing of this file.
4) /res/images contains images that together are a encryption graphic UI
Conclusion: Block-device level encryption is available and configured through dm_crypt by the init executable and some configuration files. Some flag probably exists somewere to enable this encryption.
Guess: after the flag is flipped the device should ask during boot for encryption password and encrypt /data /efs /cache /sdcard directories. On consecutive re-boots the same password will be asked to be able to mount through the configuration file(s).
Anyone knows how to enable the damn thing? Apparently Sybase have an app called Afaria AES for samsung that enables this functionality. I guess that they are doing it using some unpublished samsung security API. Maybe an extension of the DeviceAdmin class. Anyone know a way to check this?
I configured the standard email client to connect to my exchange server which enforces an encryption policy and then I got prompted to that my SGS2 would then encrypt itself.
I've no idea if there is a way to do it manually or even how to un-encrypt it if I ever remove the exchange account.
dwod said:
I configured the standard email client to connect to my exchange server which enforces an encryption policy and then I got prompted to that my SGS2 would then encrypt itself.
I've no idea if there is a way to do it manually or even how to un-encrypt it if I ever remove the exchange account.
Click to expand...
Click to collapse
Hi, When you say, the SGS would encrypt itself, did you mean that the internal discs would be encrypted, or was this referring only to the connection over Email. I think the latter and if so then this is not the correct thread for this discussion. If the former then this is remarkable.
I am also looking for a way to enable encryption. The ability to use hardware-assisted file encryption was the first thing that caught my eye when they presented the SGS II at MWC.
I have contacted Samsung about this (twice) and they were not really helpful at all. They only replied that you need third party tools to use the SGS II encryption features and that there is no tool included with the handset. They also ignored my inquiry for a documented API which would make it possible to write a little program to switch encryption on.
It seems that Sybase Afaria is one of the solutions with the desired ability, a Microsoft Active Sync server is another, both enterprise level products. The Sophos product mentioned above might be yet another.
If we could only get some information about the API all these products must use to administer the phone!
fryandlaurie
@forgetmyname:
I'm pretty sure that it is about file level encryption: Connecting to a corporate exchange server allows the server (if configured accordingly) to enforce a host of security policies on the phone. One of these policies may well be the encryption of all mail traffic but I doubt that you would be prompted to acknowledge that.
fryandlaurie
It would be great to be able to file encrypt private photos, I don`t think its enough with a program that requirre a password to show the hidden files. As if one have physical access to the phone one can easely get the pictures.
Two options for i9100 Encryption
oleost said:
It would be great to be able to file encrypt private photos, I don`t think its enough with a program that requirre a password to show the hidden files. As if one have physical access to the phone one can easely get the pictures.
Click to expand...
Click to collapse
On Stock Samsung ROMs pre-ICS you can use Galaxy Device Encryption free or pro by hellcat (see google play) for full device encryption, including optional encrypting of the external SD card. Note, it has to be stock rom for this to work on GB and this only works on certain Samsung models that they added the encryption ability to the OS but didn't give the user a way to activate.
ICS supports encryption natively and gives the user access to turn this on without a push from an exchange server or the like, assuming this hasn't been removed/disabled by the developer of the ROM you're using.
Ed

[Q] Changing Input Method on Rooted Device

Hi!
In order to automatically switch to Wifi Keyboard as my current input method when plugging my phone (Atrix, Android 2.2.2) into my computer, I am looking to circumvent the security restrictions preventing that. Normally, applications are not given the permission to change input methods due to them being in control of the system, possibly with malicious intent.
Now, my phone is rooted, and root shall be your god, so this must be possible. To further complicate matters, I am trying to acieve this through Tasker (which does not know about root), as it already provides the several other tasks I want to achieve and can trigger them in any context imaginable. It is, however, able to run scripts - so if there is a way to do this by script, I'm set.
Google gave me a link to the developer.android.com reference to InputMethodManager (which I am not allowed to post here yet...), which says, among other things, the following:
The input method manager as expressed by this class is the central point of the system that manages interaction between all other parts. It is expressed as the client-side API here which exists in each application context and communicates with a global system service that manages the interaction across all processes.
An input method (IME) implements a particular interaction model allowing the user to generate text. The system binds to the current input method that is use, causing it to be created and run, and tells it when to hide and show its UI. Only one IME is running at a time.
Multiple client applications arbitrate with the input method manager for input focus and control over the state of the IME. Only one such client is ever active (working with the IME) at a time.
Click to expand...
Click to collapse
Only the system is allowed to directly access an IME's InputMethod interface, via the BIND_INPUT_METHOD permission. This is enforced in the system by not binding to an input method service that does not require this permission, so the system can guarantee no other untrusted clients are accessing the current input method outside of its control.
Click to expand...
Click to collapse
A client application can ask that the system let the user pick a new IME, but can not programmatically switch to one itself. This avoids malicious applications from switching the user to their own IME, which remains running when the user navigates away to another application. An IME, on the other hand, is allowed to programmatically switch the system to another IME, since it already has full control of user input.
Click to expand...
Click to collapse
The identification of the current IME is represented by this:
IBinder imeToken Supplies the identifying token given to an input method when it was started, which allows it to perform this operation on itself.
Click to expand...
Click to collapse
I take from this that I either have to
a) gimme that BIND_INPUT_METHOD permission,
b) remove that whole restriction at least temporarily,
c) impersonate being the currently active IME by taking the imeToken away or
d) tell the IME that it should switch to another one.
Unfortunately, my programming experience is limited to C (on microcontrollers...), Python and PHP, and I have no greater experience with fitting my scripts into lager-scale frameworks, only in small ones for personal or limited use. So, well, I have no idea how to achieve any of these goals.
Could someone tell me if what I want to do is even possible, and if so, how? I don't need the full code, if there is much to it, but rather some directions, altough I certainly would not mind it
Thanks a bunch for any advice in advance!
V
PS: I hope it is not rude for me to ask this in here, but well, it's kinda-sorta dev stuff, and neither Google nor the Forum search turned up anything even close to an answer.
Use "Secure Settings". It will allow you to switch keyboard input using Tasker. It also lets you turn gps on and off as well as some other things.
Sent from my MB860 using xda premium

[Q] Log URLs

Helping friend with a cheating husband. She wants something that can log URLs visited to see if he's making new webmail accounts. Any suggestions?
I figured a stealthy way to do this would be something like privoxy installed via the commandline and started in an init script. He's already rooted his phone, so that should make things a bit easier.
Basically the requirements are hidden (doesn't show in apps list or drawer), can log URLs, doesn't add significant battery drain. I see a bunch of paid apps (mobispy, etc) but can't verify if they're hidden from android OS. If he can just kill it with a something like ES Task Manager and uninstall it with Settings->Apps, it's probably not sufficient.
NDK
Hi.
You can introduce any cross compiled binary into the android system if the phone is already rooted. You can compile programs via the NDK and put them in /system, androids software center will never now.
It's probably easiest to install a network sniffer like tcpdump or even better tshark from wireshark. Just start it in init.d and let it write the first 1k bytes of every packet (port 80/443) to a capture file hidden in some sub directory. This will most likely drain battery.
As for hiding in the process list, it's probably easier to rename your sniffer to something harmless like 'wpa-agent'.
* BUT *
You basically want to introduce malware on another ones phone. This might be a felony in your country. And it's certainly unethical. In these cases I always suggest talking to the partner instead of spying. If it comes to spying on your partner the trust, which is needed in a relationship, is already severly damaged. And I'm really not sure that looking out for webmail accounts will repair this trust.

[Q] Low level Application Authentication (like JAAS)

Hi,
I'm looking for a way to add authentication to android application, a bit like JAAS on standard Java VM.
With JAAS, there is a login module which is not included in the application but called by the VM (not explicitely by the application) when it is required (start screen or when session ends or accessing screens, resources, ...)
One of the purpose of this is to keep application code agnostic of authentication, autorisation, ...
From what I've read on android and Dalvik so far there is nothing in this range and I'm a bit surprised. Am I wrong ? Are there anything I haven't seen ?

Xposed with shared library.

I was struggling not to make that kind of posts but as far I can see, I definitely need help in order to proceed.
I need help with hacking an app. The application in question utilizes AES encryption for some subset of web requests. As I understand, the key for encryption is generated by the app at native code level which then used for encrypting/decrypting internet traffic, using shared library. In addition to that, there is a method to fetch the encryption key, if my understanding of the process is correct.
Personally, I don't follow the whole sequence of actions it does to encode/decode data (app heavily utilizes both java, native arm code and server-obfuscated JS code so it'd a bit complicated to follow). So, I thought that it might be faster and more effective to go straight for the key, so the plan was writing xposed module which would fetch it.
I haven't developed for Android platform before so please bear with my ignorance. As I understand, if the method in shared library is called Java_<class>_<method> then it can be declared in that class and be called from there. If the library is checked using IDA Pro, you could see a bunch of method following that naming approach in Exports tab. The problem is that the key fetching method uses different naming/declaration - <ClassA>::<ClassB>::<Method> (and its export name is something like _ZN3ClassA6ClassB9MethodEv). While I have a vague idea of calling typical native class methods (Java_.... ones), I don't have a slightest idea if <Class1>::<Class2>::<method> could be called from Java code somehow.
Any help would be appreciated.

Categories

Resources