MITM Attacks in Mobile Apps

A Man-in-the-middle or MITM attack is a common technique used to steal data during transport to and from a web service and a mobile app. An easy way to see what sort of data your app is leaking is to use a MITM proxy server such as the Python based mitmproxy. Today I’m going to show a quick demo using a small app that sends and receives JSON payloads with mitmproxy capturing all that data. If you want to try this out yourself you can use your own app or feel free to use mine:

Requirements:

-A mobile app to test with (the one used in the video is available here: https://github.com/ShravanJ/MITMAppDemo/)

mitmproxy

-A web service endpoint to deliver a JSON payload (I used json-server for testing)

You will need to setup mitmproxy to work with your phone with the following steps. Once you have that setup you can test how your app handles web service requests whether it be JSON, SOAP, or loading images and videos. This should give you some insight on how easy it is to see what your app is doing when communicating with a web service. One way to help prevent this is to implement Certificate Pinning. I have provided some implementation guides below:

For Xamarin apps:

https://github.com/chrisriesgo/xamarin-cert-pinning

https://thomasbandt.com/certificate-and-public-key-pinning-with-xamarin

For native iOS apps:

https://github.com/datatheorem/TrustKit

https://www.bugsee.com/blog/ssl-certificate-pinning-on-ios-using-trustkit/

I will probably be doing another video with a web service running over HTTPS and show how Certificate Pinning can help stop MITM attacks. And as usual, thanks for reading.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s