0

I tried to reverse engineer an Android APP using MITMProxy, and the Server responds with an unauthenticated-error.

If the whole authentication would be using headers (Basic, etc...), the Proxy should forward those headers. And it does forward the API-Key-Header.

Yet, the handshake seems to fail.

Would could cause that error?

The only thing i can imagine is a client-side SSL-certificate, which gets replaced by the Proxy, but i fail to find any code setting that certificate...

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
Daniel D.
  • 11
  • 1
  • 1
    Make a packet capture using Wireshark without the proxy being involved. Have a look at the TLS handshake if there is a certificate send by the client or not. Then you know if it might be because of a client certificate or not. – Steffen Ullrich Apr 23 '19 at 16:34
  • Are there any other possibilities of a header-less authentication besides that? – Daniel D. Apr 23 '19 at 16:37
  • The server might for example specifically detect interception by comparing the TLS fingerprint of the client with the expected one. This is not authentication itself, but done in addition to authentication in order to make reverse engineering harder. – Steffen Ullrich Apr 23 '19 at 17:23
  • Have you checked the session ciphers? The server might refuse to process any authentication requests if those aren't done with the ciphers the app under normal circumstances is capable of. – ximaera Apr 23 '19 at 22:40
  • Also, the client could possibly detect you are using a proxy and send some other data than what you expect. – rugk Apr 24 '19 at 20:46
  • i checked with wireshark, there are indeed no client certificates involved...how is the TLS fingerprint generated? Can i copy the apps behavious in python? – Daniel D. Apr 27 '19 at 20:09

1 Answers1

1

I figured it out! The app was using a service called Approov, which was a third party service generating a new token every five minutes to prevent third party apps from accessing a protected ressource.

Took a while to get around it, but at least i learned something new.

Daniel D.
  • 11
  • 1