3

I would like to set up a testing environment for smartphone and tablet apps that can intercept 3g/4g communications and provide a traffic dump. I'd like to see all the 3g/4g traffic coming from, or going to, the device.

Wireless connections are straight forward because I can set up a proxy somewhere in the comms chain but I'm not sure whether this is possible for mobile connections over 3g/4g.

It's important that the smartphone doesn't realise that it is being proxied as this may affect the behaviour of any application I am testing so I need some way of intercepting (proxying?) the cellular traffic without using any on-board proxy settings.

Is this possible?

David Scholefield
  • 1,824
  • 12
  • 21

4 Answers4

2

Most devices could can have a proxy set on them which would be invisible to the application. Personally I use proxydroid (or similar) on android and IPtables on iPhone. Your devices may need to be rooted (and any apps patched to avoid root detection). You will also come up against certificate pinning like you would over a WiFi connection and will have to patch the application to bypass this. (unless you have the private key for the target's SSL cert - which is unlikely unless you are the sysadmin for the target server)

Over a 3G / 4G connection, you would need to run your proxy server on a machine with a public facing IP address - VPS servers are useful for this.

Alternatively you may be able to get the phone to VPN into a network that you control and pass it fake DNS information using DNSMasquerade or similar - you can set up a server with your proxy operating on ports 80 and 443 and give the IP to that server as the response to any DNS request made by the phone. (some more complicated layer 3 routing may need to be done if the App uses IP addresses directly)

You can't transmit / receive data on the radio bands allocated to 3G / 4G under most jurisdictions due to wireless telegraphy laws. If you want to spoof a 3g / 4g network without violating any laws, you could set up a faraday cage (use a certified commercial solution), set up your own base station using an SDR and openBTS or similar and sniff / proxy the traffic from the role of the mobile network operator (any GSM / UTMS / 4G encryption on the channel will be done using your parameters but you will still have to MitM any higher layer (HTTPS etc.) traffic. This works in most cases, though check with local laws / an experienced lawyer in your jurisdiction first. The hardware to do this can be expensive.

Using a hacked commercially available femtocell may be a simpler way to do this though this probably still violates many laws and most likely your user agreement with the network operator. Proceed with caution. MNOs actively monitor attempts to circumvent protections on their devices and employ third party consultants to try and break their security. Some may use VPN connections back to the MNO, though I have not examined enough to fully confirm or deny this. An past example of this approach is here, though note that you will still need to break the HTTPS encryption / tell your device to send the traffic to a proxy. Hosting your proxy server on a public IP address or using your own VPN is probably a much simpler (and legally safer) approach. https://www.nccgroup.trust/globalassets/newsroom/us/blog/documents/2013/femtocell.pdf

Stu W
  • 612
  • 6
  • 17
  • OK, so if I VPN the traffic the 3g provider will send *all* traffic to my VPN endpoint? i.e. there will be a precise copy of traffic and no change/removal/addition of the data payload of the packets? Because the first 'hop' is to the 3g network endpoint, how do I know whether the data is being changed between there and my VPN endpoint? Or do I just assume that the carrier company will not fiddle with the data payload? – David Scholefield Nov 16 '16 at 09:49
  • If the app is using HTTPS to connect to its API / server then you can verify that the HTTPS data is signed using the SSL certificate of your MiTM proxy and you do not get SSL errors on the phone after installing the Root CA. On a rooted / jailbroken device you could use TCPdump to inspect the packets and check that they are the same as the packets you receive at the other end. I cannot guarantee that you will get everything that the phone sends (imagine the phone and network could exchange control data outside the VPN), though you should be able to get everything sent from any apps / browsers. – Stu W Nov 16 '16 at 10:00
1

You can get in touch with a mobile carrier and see if they provide private APNs. Those will send you all the traffic from the SIMs to you through a VPN tunnel, and are designed for companies to be able to put their employee's mobile devices on the corporate network without using an on-device VPN client (I can't believe someone is crazy enough to trust a mobile carrier with full access to the company network, but I guess since they have such plans there must be customers for it).

Look into the smaller providers and MVNOs, in most cases you could get a better price.

André Borie
  • 12,706
  • 3
  • 39
  • 76
  • By the way, if you're in the UK and are still looking for a solution feel free to get in touch (email on my user profile), I can provide you with such SIMs immediately at a reasonable price, you'll just need some kind of VPN server I can send the traffic to. – André Borie May 05 '17 at 07:08
0

In order for you to redirect traffic to a proxy you will need a network end point you control. In this situation it sounds like you only have control over the device and so the proxy will have to be somewhere in the device. You have two options for this:

  1. Local proxy - You can set up a proxy on the phone, a great app for this is Packet Capture.
  2. Proxy - Set up a proxy on any server and set the settings of the phone to work throught the proxy you set up.
Bubble Hacker
  • 3,615
  • 1
  • 11
  • 20
  • Because it is possible to buy a '3g repeater' from some of the 3g network providers (plug it into your wifi but it appears to the phone as a 3g mast) I was wondering whether something like this was possible and whether anyone had tried using it for this kind of purpose. I don't want to use a proxy setting or app on the phone because I don't want the device/app to know it is being proxied. Malware is becoming very sophisticated and will sometimes behave differently if it thinks some kind of white-hat testing is taking place. Hence the requirement for no on-phone/tablet setting being involved. – David Scholefield Nov 16 '16 at 09:34
  • What you can do is put up a micro cell and force your phone to connect through your cell and then monitor all traffic. You can find an open source micro cell here - http://openbts.org/. – Bubble Hacker Nov 16 '16 at 09:39
0

Nowaday, implementing a LTE Base Station is possible (as said by others people on this thread) but it's quite expensive since the hardware to handle frequencies and bandwitdh used in 3G/4G is (see Hack RF one and other kind of devices).

If you want to do black box testing on smartphone apps, you may take a look to emulators (as the one provided in Android SDK for example).

binarym
  • 744
  • 4
  • 8