HTTPS in Android: A false sense of security (Man in the Middle)

Veeresh CharantimathVeeresh Charantimath
2 min read

Intro

If you ever wondered what API that shiny new app is using under the hood or wanted to understand how a certain flow in an app works; maybe to bypass/break it 😉, then stick around to find out.

When building Android apps one would generally think that our API transactions are contained only to our app and cannot be seen/modified by other apps given Android’s sandbox mechanism.

I’ll try to demonstrate how pretty much any app’s HTTP/HTTPS traffic can be intercepted/modified on the go and what Android does to counter this.

Note: this will only work on rooted devices or emulators.

Background

As the title says, Man-in-the-Middle, our middle entity would be a Proxy Server which will eavesdrop on the API requests made by the app.

The Proxy Server would relay the traffic coming from the app to the legit server along with any modifications you need to the request or response.

However, some apps are smart enough to know that they are talking to a Proxy Server and will reject the connection immediately using Certificate Pinning.

Certificate Pinning is one of the counters to MITM but can be easily bypassed on Android.

Setup

There are many Proxy Servers to choose from for Android, the easiest to use I would say from the lot is HTTP Toolkit. The setup is a breeze, if you are coming from Charles Proxy or Proxyman etc, you will love the simplicity.

Depending on your OS follow the installation steps for the above.

For the demos, our objectives would be to

  • intercept requests

  • modify requests

We’ll intercept an app that implements Certificate Pinning along with one that does not.

I’ll be running the apps on a Pixel 6 Pro, API 33 emulator (make sure you are running without the Play Store module), if you have a rooted device then I’d suggest using that.

Demo #1, Flipkart

Flipkart does not implement Certificate Pinning making interception of
API traffic is very straightforward. (Flipkart APK Download)

https://youtu.be/gozmajTzloM

Demo #2, Twitter

Twitter takes it a step further and implements Certificate Pinning to make interception difficult. However, as I mentioned earlier it is very easy to by-pass this counter mechanism. (Twitter APK Download)

APK Lab is an awesome tool to reverse engineer Android apps and removing Certificate Pinning is one of its many features.

https://youtu.be/lljtCPfc2Hs

Conclusion

Given the above, critical business use-cases should have server-side validations to whatever the client sends and vice-versa.

Also, this opens up multiple attack vectors for malicious actors to exploit.

Questions/Suggestions/Improvements are welcome 😄 .
I’m available on Twitter for further queries.

0
Subscribe to my newsletter

Read articles from Veeresh Charantimath directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Androidandroid developmentMIT

Written by

Veeresh Charantimath
Veeresh Charantimath