EvernoteExport

IOS ApplicationSecurity Part 11 AnalyzingNetwork TrafficOver HTTP-HTTPS.html[25.05.201418:04:10]

In the previous article, we looked at IOS filesystem and forensics. In this article, we will be looking at how we can analyze the network traffic
flowing across an IOS device. Analyzing the network traffic for an application could be helpful in many ways. It could help us deduce how the
application is managing the session of its users, the endpoints to which the application makes the call, how the application works internally etc. We
will also look at how we can analyze network traffic over SSL.
There are both active and passive ways of sniffing traffic on a network. In case you are interested in analyzing the traffic for a particular device over
a network remotely, wireshark is the tool to go for. J ust open up Wireshark, start sniffing over the network and add a filter (for e.g ip.addr ==
192.168.1.2) so that it shows only the traffic sent or received from your IOS device. It is possible that you may lose some packets if you dont have
a good wireless card.
In case you want to analyze the traffic for a device over SSL, there are plenty of ways to do that as well using a combination of Arpspoof and
SSLStrip. However, since we are interested in analyzing network traffic for a particular application, we will be following a different approach. So just
to clarify, this article is focussed on Analyzing network traffic and not hijacking network traffic. Also, we can analyze the traffic either over Wi-fi or
over cellular. Since we are interested in analyzing the traffic for a particular application, it doesnt really matter which medium we choose.
Using TCPDump
One of the most basic techniques to capture traffic over your device is by using tcpdump. First of all, make sure that tcpdump is installed on your
device.
IOS Application Security Part 11 Analyzing Network Traffic Over HTTP/ HTTPS
Source: http://highaltitudehacks.com/2013/08/20/ios-application-security-part-11-analyzing-network-traffic-over-http-slash-https/
IOS Application Security Part 11 Analyzing Network
Traffic Over HTTP/HTTPS
Aug 20th, 2013
Posed by Prateek Gianchandani
EvernoteExport
IOS ApplicationSecurity Part 11 AnalyzingNetwork TrafficOver HTTP-HTTPS.html[25.05.201418:04:10]
Now, start capturing the data on a particular interface and write the output to a file.
To capture this data over cellular, just change the interface to point to the one related to the IP address provided by your cellular connection.
To analyze this file, you will have to transfer it onto your system and analyze it using Wireshark. However, as you might have already noted, this is
a tedious process and there is a much better way to do the entire process using Pipes. More information can be found here. In any case, the
information from tcpdump gives us too much of low level information, something that we are definitely not interested in as we are interested in
analyzing data from an application level. There is a much better alternative to this using Burpsuite and Snoop-it.
Using Snoop-it
So lets discuss how to analyze the network traffic through Snoop-it. By the way, if you havent seen it yet, check out part 9 of this tutorial series on
Snoop-it. In order to see the api or network calls being made, just open any app in Snoop-it and go to the Network section on the left. For e.g, the
image below shows the network calls being made in the application Snapchat.
EvernoteExport
IOS ApplicationSecurity Part 11 AnalyzingNetwork TrafficOver HTTP-HTTPS.html[25.05.201418:04:10]
If we tap on a particular request, we can see the contents of it like the query string, the body etc.
EvernoteExport
IOS ApplicationSecurity Part 11 AnalyzingNetwork TrafficOver HTTP-HTTPS.html[25.05.201418:04:10]
Using Burpsuite over HTTP
Again, there is a much better way of showing these requests/responses and Burpsuite stands out among all these tools. Download Burpsuite from
its official website. The free edition should be sufficient for the task that we are supposed to perform in this article. Also, if you havent used
Burpsuite before, check out this article that i have written about Burpsuite. The main task here is to use Burpsuite as a proxy and route all our
traffic from it.
Open up Burpsuite, go to Proxy -> Options.
Click on the proxy that is set, click on Edit and select the option All Interfaces inside the option Bind to Address
EvernoteExport
IOS ApplicationSecurity Part 11 AnalyzingNetwork TrafficOver HTTP-HTTPS.html[25.05.201418:04:10]
Here we can edit the port the proxy is listening on, and even add a new proxy listener. Burp also has option of presenting certificates to SSL
protected websites. By default, Burp creates a self-signed CA certificate upon installation. The current checked option (shown below), i.e generate
CA-signed per-host certificates will generate a certificate for the particular host we are connecting to signed by the CA certificate that was created
on installation of Burp
EvernoteExport
IOS ApplicationSecurity Part 11 AnalyzingNetwork TrafficOver HTTP-HTTPS.html[25.05.201418:04:10]
You will be prompted with a warning. Click on Yes. The reason why we selected the option to bind on all interfaces is because we want our iPhone
to use our computer as a proxy and hence just selecting the option to bind to the local interface wouldnt have been enough.
Now, go to Proxy -> Intercept and make sure Intercept is set to off. This is because you may not want to be bothered with forwarding every packet
that comes through the proxy.
Now, you will have to tell your device to route traffic through this proxy. On your IOS device, go to the Settings App, click on Wifi, select the
network that you are connected to and on its settings, scroll down and there will be an option to set its proxy. Set the proxy as your computers IP
address which is currently running Burpsuite and the port as the port on which the proxy is running.
EvernoteExport
IOS ApplicationSecurity Part 11 AnalyzingNetwork TrafficOver HTTP-HTTPS.html[25.05.201418:04:10]
Now that the proxy is set up and we have configured our device to use this proxy, go to any application that doesnt use SSL (we will discuss SSL
later in this article) and try to hang around so that some network calls are made. You will see the requests going though in Burpsuite. Here is the
traffic going through for the NASA TV App
The good thing about Burpsuite is that we can see the packet in Raw and Hex format and also see the Params and the headers for every request
EvernoteExport
IOS ApplicationSecurity Part 11 AnalyzingNetwork TrafficOver HTTP-HTTPS.html[25.05.201418:04:10]
and response.
Also, we can see the corresponding response for a particular request.
This will help us understand in great detail how an application communicates with the backend, what are the endpoints that get called, and what is
the response format.
Using Burpsuite over HTTPS
However, the technique mentioned above will not work for applications that use SSL to communicate with the backend. Some applications are
coded in such a way that only SSL connections are allowed. For e.g if you try to run the Snapchat app through this proxy, it will fail. However,
some applications will issue a warning and ask to confirm or cancel the connection. For e.g, the screenshot shown below shows a warning from
Safari when run using the proxy.
EvernoteExport
IOS ApplicationSecurity Part 11 AnalyzingNetwork TrafficOver HTTP-HTTPS.html[25.05.201418:04:10]
If you click on Continue, you will be able to see the application traffic. Please note that this warning is accepted only for this host currently. If you
browse to another website with HTTPS enabled, you will be shown another warning because Burpsuite generates a fake SSL certificate for every
host.
Whenever we connect to a HTTPS website via Burpsuite, Burp generates an SSL certificate for each host, which is signed by its own Certificate
Authority (CA) certificate. In order to make sure that these warnings dont come up all the time, we have to validate Burps CA certificate as a
EvernoteExport
IOS ApplicationSecurity Part 11 AnalyzingNetwork TrafficOver HTTP-HTTPS.html[25.05.201418:04:10]
trusted root on the device. Hence, the steps would be to first get the root certificate, then install it on the device. Once it is on the device and is a
trusted root certificate, it can sign all the certificates and all of them will be treated as valid. Please note that the private key for this certifcate is
stored in your computer and hence when the traffic passes through the proxy on this computer, Burp can decrypt the data using its private key.
The root CA certificate is created once you install Burp on your system.
To install the root certificate on your system, first configure your browser to use the Burpsuite proxy.
Then browse to a website that uses SSL. You will be shown a warning
EvernoteExport
IOS ApplicationSecurity Part 11 AnalyzingNetwork TrafficOver HTTP-HTTPS.html[25.05.201418:04:10]
Now our job is to export the root certificate which is used to sign all these certificates. For the domain gmail.com, it is not possible to export the root
CA certifcate because we cannot add an exception to the gmail domain. Every domain can enforce a policy of this kind. However, facebook allows
us to add an exception. Go to facebook.com using Firefox. You will get a warning. Tap on I Understand the Risks and tap onAdd an Exception
Then, click on View
EvernoteExport
IOS ApplicationSecurity Part 11 AnalyzingNetwork TrafficOver HTTP-HTTPS.html[25.05.201418:04:10]
Go to the Details tab and select the topmost certificate in the hierarchy. This is the root CA certificate. Then click on Export and save the file with
an extension of .crt
EvernoteExport
IOS ApplicationSecurity Part 11 AnalyzingNetwork TrafficOver HTTP-HTTPS.html[25.05.201418:04:10]
These steps can also be found on Burps documentation. Here is a screenshot from this link.
Now, send this file to your device. Using appropriate social engineering skills, an attacker can get this certificate installed on a device as well
without the user knowing its actual consequences. Here is the warning that you get when you open up this certificate. Tap on Install
EvernoteExport
IOS ApplicationSecurity Part 11 AnalyzingNetwork TrafficOver HTTP-HTTPS.html[25.05.201418:04:10]
Tap on install again. As you can see, the warning is pretty clear over here.
Tap on done once you are finished.
EvernoteExport
IOS ApplicationSecurity Part 11 AnalyzingNetwork TrafficOver HTTP-HTTPS.html[25.05.201418:04:10]
Now, since this root certificate is treated as valid, every certificate signed by this root certificate will be treated as valid and applications will allow
data to be transferred. So now, the Snapchat application that previously wasnt allowing us to transfer data with the fake SSL certificate will now
allow the data to be transferred successfully. This traffic will be intercepted by Burpsuite. As you can see from the figure below, in the login call, we
can see the username and password being sent as well as other api calls made by the application.
EvernoteExport
IOS ApplicationSecurity Part 11 AnalyzingNetwork TrafficOver HTTP-HTTPS.html[25.05.201418:04:10]
Conclusion
In this article, we looked at the different ways in which we can figure out the network traffic flowing across an IOS device . Knowing what endpoints
get called, what are the requests and response, what are the headers and params etc will help us a lot in figuring out how the application works
internally.
References
Installing Burps CA Certificate - IPhone
http://portswigger.net/burp/help/proxy_options_installingCAcert.html#iphone