How difficult is it to intercept the POST response body when SSL is used?

Question

For an Android application that is performing POST requests (JSON) over SSL and receiving a JSON object as a response, how difficult is it to get the JSON response?

Is the easiest way to decompile the application to get the request and send it and see what the response is?

What is the easiest way, and what are some techniques that can be used to make it more difficult?

"get the response" - do you mean "read the JSON data through unauthorised means"? — schroeder, Jul 09 '18 at 12:33
SSL is not supposed to protect against an untrusted end-point, only against an untrusted network. — CodesInChaos, Jul 09 '18 at 16:54
What do you mean by "to get the request and send it and see what the response is"? Anyone can mess with your endpoint without decompiling your app. All they would need to know is the endpoint URL. They would just have to look at network traffic while using your app to get it. They could find POST request info pretty easily as well. No decompile needed. — Tim, Jul 09 '18 at 23:50

score 24 · Answer 1 · answered Jul 09 '18 at 13:37

It all depends on the application itself and what kind of security measures are implemented. Assuming requests are sent over HTTP(s), then the easiest way is to use a proxy such as Burp. You will need to install a CA certificate on your mobile device. You'll be able to see requests & responses in the proxy software (Burp).

APP <----> proxy <----> server

If the application is using SSL/TLS pinning, then the above solution will not work out of the box. Some function(s) will perform additional checks on the certificate, you will need to tamper such function(s) in order to bypass it. Generally there are two ways:

Patch the application in order to remove the SSL/TLS pinning. This usually requires unpacking, editing, repacking and resigning the app. Quite tiresome if you ask me.
Hook the SSL/TLS pinning logic and disable such logic. Frida is a pretty cool tool for this (multi platform), Substrate on iOS and xposed on Android.

A second solution is to not use a proxy at all! Usually an HTTP client library is being used to perform such requests. You can hook HTTP request functions and print the content directly.

APP <----> server
^-> hooked functions which prints the requests

The second solution can be useful when the app is not using standard HTTP requests. Some apps use binary protocols such a gRPC, it would be easier to hook the myclient_post(jsonData) function and print the parameters + response, than reverse engineer the binary protocol, setup a proxy etc...

Some links which might be useful:

Install burp CA on Android: https://support.portswigger.net/customer/portal/articles/1841102-installing-burp-s-ca-certificate-in-an-android-device
Install burp CA on iOS: https://support.portswigger.net/customer/portal/articles/1841109-installing-burp-s-ca-certificate-in-an-ios-device
Android xposed module that bypasses some standard TLS/SSL pinning logic: https://github.com/Fuzion24/JustTrustMe
Same as above but for iOS using Cydia substrate: https://github.com/nabla-c0d3/ssl-kill-switch2
Frida: https://frida.re/, code snippets: https://codeshare.frida.re/, android ssl bypass: https://codeshare.frida.re/@pcipolloni/universal-android-ssl-pinning-bypass-with-frida/, ios ssl bypass: https://codeshare.frida.re/@dki/ios10-ssl-bypass/
Certificate pinning explained: https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning
When you get into advanced scenarios: https://github.com/federicodotta/Brida (a bridge between Frida and Burp)

A minor addendum -- Android itself comes with an HTTP library, so that's likely what'll be used, which makes it somewhat easier. Or, at least, once you've patched it to your liking for one app, it's likely to be applicable more widely. — Nic, Jul 09 '18 at 23:55

How difficult is it to intercept the POST response body when SSL is used?

1 Answers1

Linked