Friday, April 19, 2013

Snooping Encrypted Data On Android

Make sure you have a rooted device for this, as you will need to install some packages. For encrypted traffic, you will need to install a proxy called socat. To do this, use opkg, which will download and install packages to your android device. The link to the project is given below.
http://dan.drown.org/android/
First, download the application
http://dan.drown.org/android/opkg.tar.gz
 Then push the downloaded tar to the Android device
# adb push opkg.tar.gz /data/local
Unarchive the file
# adb shell tar /data/local/zxvf opkg.tar.gz
Now update and install the socat proxy
$ opkg-cl update opkg-cl install socat
Let's also say you want to proxy all traffic going to android.clients.google.com, which is where most of google generated traffic goes to. I won't go into it here, but you will need to generate your own keys and certs for the android.clients.google.com domain name (Make sure to also install the client crt to your android device to make it a trusted authority). By setting up this way, your device will trust the proxy on your device as a legitimate google server.

If there is another site you want to snoop, just generate new keys and change android.clients.google.com to the new site in the command below.
$ ./bin/socat -v OPENSSL-LISTEN:8443,reuseaddr,verify=0,cert=/data/local/server.crt,key=/data/local/server.key,cafile=/data/local/ca.crt,fork OPENSSL:android.clients.google.com:443,reuseaddr,verify=0
This command sets up the cert you will use, the key and cafile. The proxy listens on the device on port 8443. It forks another process and pushes the traffic to android.clients.google.com on port 443.  In this way, you can decrypt the traffic at the proxy. The -v option prints the decrypted data to standard out.

Now that you have the proxy setup on the device, you need to configure the iptables.

Before setting the iptables,  check the interfaces on your device:
$ ls /sys/class/net
     dummy0
     lo
     rmnet0
     rmnet1
     rmnet2
     sit0
     wlan0

lo is the local interface. For wifi, you should listen on wlan0. The rmnet(x) interfaces are for USB and GPRS/CDMA. sit0 is simple internet transition, which incapsulates ip6 in ip4. You will nat traffic on the wlan0 interface (although you could nat on any other interface the traffic is going through).

Next, you need to know which specific process you want to snoop. Let's check:
$ ps
with result

app_32    5862  139   470652 38304 S com.google.android.gm
app_120   5960  139   473708 38472 S com.google.android.talk
app_130   5981  139   478716 41476 S com.google.android.videos
app_138   6008  139   488688 41356 S com.google.android.youtube


com.google.android.gm has app_32 id. That is the one you want as you will use it when setting up the iptables.



Ok at this point, you know you want to nat traffic for app_32 on interface wlan0.



I’ll show how to use the iptables to direct traffic to the proxy. You need iptables to write NAT rules, so install it.



$ opkg-cl install iptables

The iptables command is going to look something like




$ iptables -t nat -A OUTPUT -p tcp -o wlan0 --dport 443 -d android.clients.google.com -j DNAT --to 127.0.0.1:8443 -m owner --uid-owner app_32

Notice that this command only directs the the traffic for app_32.  This is mapping any request for the google servers to the on-device proxy that you setup.



After this, you can use various google apps and watch the traffic print out in the logs (use logcat to see them).









Posted by



at







































No comments:















Post a Comment


















        

      









Subscribe to:
Post Comments (Atom)