While Wireshark can not be used to inspect SSL/TLS encrypted traffic leaving your phone, it is important to use in a penetration test to confirm the mobile app is not sending any sensitive data unencrypted over HTTP. Mitmproxy was used as the SSL person-in-the-middle (PITM) tool to decrypt the SSL traffic. Wireshark is shown here in this article to provide evidence of the captured network traffic after successfully setting up my iMac to capture my iPhone’s traffic. Once I had all of the numerous strings passed between my mobile phone and the bank’s API server snagged in mitmproxy, I was able to then load the POST requests complete with the expected HTTP header fields into Postman, an API client capable of sending requests to an API server allowing the user to inspect the response for further analysis or debugging. Thus began my adventures into finding a more creative way of finding the correct API calls manually by intercepting the traffic between the bank’s app running on my iPhone and the bank’s API server. A HTTP POST is a type of HTTP request that instructs the receiving web server to accept and store the contents found in the body of the HTTP request, often times a file upload or user input to the fields of a web form. ![]() While I was able to successfully reverse engineer the Android app using MobSF, I wasn’t so successful in finding the numerous POST and GET requests the mobile app uses when communicating with the bank. In a recent penetration test of a large bank, I was able to transfer money to any account and change any customer’s ATM debit card PIN with no authentication through the bank’s API servers the mobile application communicates with.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |