Sniffing HTTP and HTTPS traffic to understand app protocols

I needed to understand the protocol between an iPhone application and the server. There was no written documentation and the company that owned the application wanted me to build something based on the protocol.

The first thing I tried was using squid as a proxy to intercept the protocol between the iPhone application and the server (click the info icon on the WiFi connection and set the HTTP proxy to the IP and port where the proxy runs on the machine that does the sniffing).

This almost worked. Almost, because squid was not able to proxy the HTTPS traffic to Facebook, which was necessary before connecting to the application server.

So, at this point I installed mitmproxy, a man-in-the-middle proxy that can sniff both HTTP and HTTPS traffic.
To sniff HTTPS traffic, mitmproxy on one hand presents to the client (the iPhone application in this case) a fake Facebook certificate, and on the other hand, presents itself to Facebook as if it were the original client.

For the client to accept the fake Facebook certificate, it has to be both known to the mitmproxy and also installed as a trusted certificate on the device.

For the certificate to be known to mitmproxy it should be created and passed as a parameter. This is achieved as follows (thanks to Nathan):

> openssl genrsa -out fake_facebook_ca.key 2048
> openssl req -new -x509 -key fake_facebook_ca.key -out fake_facebook_ca.crt

   ... No need to fill out optional fields ...
   Common Name (eg, YOUR name) []:*.facebook.com  (domain you want to MITM here)
   ...

> cat fake_facebook_ca.key fake_facebook_ca.crt > fake_facebook_ca.pem 
> mitmproxy --cert=fake_facebook_ca.pem

However, the above is not enough since the client has to trust this fake certificate. To do that, send the fake_facebook_ca.crt file as an attachment to an email and open this attachment on the iPhone on which the application that you want to sniff is located. You’ll be prompted whether you authorise installing and trusting this certificate. After confirming, open the application and you’ll be able too sniff the entire HTTP/HTTPS session on the mitmproxy console.

Leave a Reply

Your email address will not be published. Required fields are marked *