![]() I believe the security of WhatsApp should be very high, since they had few nasty security incidents and they are kinda high-profile organization with a large user base and they take security in a serious way. ![]() Well, your best bet is to hire a capable penetration testers for the application security assessment. Not intending to implement a login mechanism) Malicious user cannot steal the identity of a legitimate user. That works in a similar way and we are trying to make sure that a My organization is considering implementing a messaging application Mechanism sent from the device identifying the user in front of the User (seeing as there is no actual login - Is there a cookie/another Prevent a malicious user to fetch the chat history of a legitimate I am specifically interested in understanding how the Whatsapp If that doesn't work, you can always revert to method swizzling. IOS has several mechanisms, the one I use is through Snoop-it framework. Otherwise, there's most likely implementation bug in certificate checking ) Unless there's a own implementation of ceritificate check, this is going to work. Both require root, thought.įor Android there's a Cydia Substrate extenstion called SSL Trust Killer which works by intercepting certain calls and modifiyng them to return true during validation. Yes, certificate pinning can be bypassed on both major platforms. 1 I see that Prox圜ap supports chains, but I cant get it to work. ![]() If the application uses certificate pinning, is there still a way to You can redirect all the trafic to gateway of your choosing, but as long as the protocol is encrypted I believe that will be not much of the use to you. For other protocols - well, that depends. You don't need rooted device for HTTPS sniffing, all you have to do is set up proxy and a trusted certificate. But it would take a lot of time.Īre you sure it's really other protocol than HTTPS on non-standard port?ĭoes the device on which the application is installed need to be I haven't really seen any other protocols using SSL/TLS suites in apps, but I would either try to reverse engineer the app to get to the protocol or try to get the encryption keys and decrypt the traffic. Not necessarily work, but - How do I get the traffic to even reach theįor classic HTTPS you should use Burp/Zap/mitmproxy as there're no better alternatives I know of. Intercepting them with BURP/ZAP/Fiddler or any other HTTP proxy will Over SSL? The communication protocol is not necessarily HTTP/S so What is the best way to analyze requests sent by a mobile application (we are not intending to implement a login mechanism) My organization is considering implementing a messaging application that works in a similar way and we are trying to make sure that a malicious user cannot steal the identity of a legitimate user. what mechanism do they have in place to prevent a malicious user to fetch the chat history of a legitimate user (seeing as there is no actual login - Is there a cookie/another mechanism sent from the device identifying the user in front of the server?) I am specifically interested in understanding how the Whatsapp security model works - i.e. If the application uses certificate pinning, is there still a way to do this? I've read some material here relating to similar subjects but I couldn't find description of a complete flow I could follow to actually perform this task.ĭoes the device on which the application is installed need to be rooted for me to perform this task? How do I get the traffic to even reach the proxy? The communication protocol is not necessarily HTTP/S so intercepting them with BURP/ZAP/Fiddler or any other HTTP proxy will not necessarily work, but. Is there some way of bypassing that pin requirement to install this cert, of some way to actually set a pin so it will install? Or is there another method of installing a cert in BlueStacks?Įdit: Quick update, got this working using an app called Root Certificate Manager, I was able to install the pem right from Windows (requires root).What is the best way to analyze requests sent by a mobile application over SSL? and when I try to create a pin/password/pattern for locking the device, it doesn't seem to get saved so the cert never gets installed. I tried going to and clicking the Android option for the cert but it requires a pin or passcode for the credential storage. Mitmproxy has an internal site you can go to that will attempt to install the cert on the device. ![]() The Security settings don't exist in BlueDtacks so I can't install it there. I'm using mitmproxy with Prox圜ap and in order to view https traffic you need to install a cert from mitmproxy on the "android device". I'm having a little issue figuring out how to get a cert installed in Bluestacks.
0 Comments
Leave a Reply. |