0

I am testing Mobile Device Management.

Here, the Admin needs to publish WiFi configurations (SSID, Password, Security Type etc.) to the mobile over the air. So what should the approach be of sending the wifi password to the device? (i.e. it should be encrypted on server and decrypted on the device)

When I intercepted the request in burp, I am able to see the wifi password in plain text, but developers are saying it is okay because HTTPS was used.

What are the other ways if developer doesn't encrypt the wifi password?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Chacha
  • 1
  • 3
  • 1
    What are you trying to protect yourself from? Why do you think HTTPS is not secure enough? –  Jun 20 '19 at 11:37
  • @MechMK1 , I am trying to protect from MITM attack. Also if the traffic is ever sniffer (via breaking HTTPS) at least the clear-text password doesn't leak. – Chacha Jun 20 '19 at 12:03
  • 1
    How do you plan on "breaking HTTPS"? –  Jun 20 '19 at 12:11
  • That's the different scenario, any idea about my scenario? – Chacha Jun 20 '19 at 13:06
  • I don't understand what the treat is you are trying to protect yourself from. –  Jun 20 '19 at 13:39
  • I am trying to prevent MITM, to sniff the wifi password, which can be done by Burp Suite. I am trying to protect wifi password same way, as post login request, in which hashed password is shown to MITM – Chacha Jun 20 '19 at 15:17
  • How did you use burp? Did you run it on the mobile device that was receiving the configuration? Or on another machine? – schroeder Jun 20 '19 at 17:07
  • Are you asking what you can do as an admin if the password is sent in plaintext? There is nothing you can do. – schroeder Jun 20 '19 at 17:09
  • So... you basically want to save the configuration profile of a network in a server, share it securely to the user's phone? Then they... "install the profile"? so they can then connect to that network? What's wrong with just sharing the password and connecting to the network, or an enterprise connection with domain user/password EAP-TLS, RADIUS server, etc? – Azteca Jun 20 '19 at 21:12
  • Yes I want to share the configuration on the phone and that configuration will be installed on the device. But the question is, when we intercept server request through burp then we see wifi password in pain text, so do we need to encrypt the password? – Chacha Jun 21 '19 at 01:19
  • Possible duplicate of [If the Charles SSL Proxy shows me sensitive data, is that data insecure/exposed?](https://security.stackexchange.com/questions/210356/if-the-charles-ssl-proxy-shows-me-sensitive-data-is-that-data-insecure-exposed) –  Jun 21 '19 at 07:59

0 Answers0