But I\u2019m using HTTPS, so I can\u2019t MITM my traffic.<\/h6>\n
Yes, by using HTTPS, a random third-party can\u2019t decrypt your payloads.<\/p>\n But while HTTPS protects you from a third-party listening in to your traffic, the endpoints are still vulnerable.<\/p>\n I don\u2019t want to get sidetracked with a detailed explanation of how HTTPS protects you<\/a>, so here\u2019s the short version: First, you verify the server\u2019s identity using the Public Key Infrastructure. The server presents a certificate saying \u201cI am example.com\u201d. That certificate has been signed<\/strong> by a trusted third-party, called a Root Certificate Authority (CA). That signature says \u201cI am Trusted CA, Inc. and that really is example.com\u201d. Your OS has a couple hundred root CA certificates installed, so it can be sure that it\u2019s really Trusted CA, Inc. that signed the certificate. (In reality, the server\u2019s certificate has actually been signed by an intermediary CA, which was in turn signed by the root CA. We call this the chain of trust<\/strong>).<\/p>\n After you\u2019ve established the server\u2019s identity, you exchange public keys, and can encrypt messages to each other that can only be decrypted by the known party – no third party can listen in to your encrypted messages and see what you\u2019re saying.<\/p>\n Since we can\u2019t decrypt your HTTPS payloads, we\u2019re going to attack by making a fake root CA and installing it as one of the device\u2019s trusted roots.<\/p>\n Nope. We\u2019re going to install a tool that handles it all for you.<\/p>\n Step 1. Install mitmproxy<\/a> on your dev machine.<\/p>\n Step 2. Run mitmproxy on your dev machine. Down in the bottom-right corner, it\u2019ll tell you what port it\u2019s running on. Also, make note of your dev machine\u2019s IP address.<\/p>\n Step 3. Connect your Android (or iOS or whatever else) device to the same network as your dev machine, and in your network settings, set your proxy to your dev machine\u2019s IP address and the port that mitmproxy is running on. The exact details of how to do this vary by OS version, so’ll have to google that for yourself.<\/p>\n Step 4. On your target device, open a browser and go to (mitm.it) This magic domain will help you install mitmproxy\u2019s certificate as a trusted root CA on your device.<\/p>\n Step 5. Run your app, and watch mitmproxy dump all of your traffic.<\/p>\n You pin your certificates<\/a>. Also, you learn a little more about HTTPS. Knowledge is power.<\/p>\n","protected":false},"excerpt":{"rendered":" Wait, what? Why would I want to do that? Lots of good reasons: If you want to see the actual traffic you\u2019re sending over the network, for debugging purposes. See what third-party libraries might be sending, and how they\u2019re sending it. Demonstrating how trivial it is to do so, as a pre-condition for mitigating it. … Continue reading “How, and Why, to run a Man-In-The-Middle Attack on Your Own App”<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"twitterCardType":"summary_large_image","cardImageID":0,"cardImage":"http:\/\/jebware.com\/blog\/wp-content\/uploads\/2016\/11\/id45.gif","cardTitle":"","cardDesc":"","cardImageAlt":"","cardPlayer":"","cardPlayerWidth":0,"cardPlayerHeight":0,"cardPlayerStream":"","cardPlayerCodec":""},"categories":[4],"tags":[],"_links":{"self":[{"href":"https:\/\/jebware.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/354"}],"collection":[{"href":"https:\/\/jebware.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jebware.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jebware.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/jebware.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=354"}],"version-history":[{"count":6,"href":"https:\/\/jebware.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/354\/revisions"}],"predecessor-version":[{"id":374,"href":"https:\/\/jebware.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/354\/revisions\/374"}],"wp:attachment":[{"href":"https:\/\/jebware.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=354"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jebware.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=354"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jebware.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=354"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"id45\"](\"http:\/\/jebware.com\/blog\/wp-content\/uploads\/2016\/11\/id45.gif\")
<\/a>(side note: any day I can use an Independence Day GIF is a good day)<\/small><\/p>\n<\/a><\/p>\n<\/a><\/p>\nIsn\u2019t that hard?<\/h6>\n
<\/a><\/p>\nSo what do I do now?<\/h6>\n
I\u2019ll follow up with another blog post soon to help you do that<\/del> (edit: follow-up post on certificate pinning<\/a> is up). (Good news: it\u2019s pretty easy)<\/p>\n