Network Analysis With ProxyDroid, BurpSuite, and Hipster Dog

My last post gave an overview of some options to setup your environment for Android network analysis. Of the winners that I pointed out, my personal favorite way to do an assessment (depending on the app) is to use ProxyDroid to forward network traffic to BurpSuite’s proxy.

In the examples below, I’m showing how to get setup with the tools so that you can analyze Instagram’s network traffic.

ProxyDroid

ProxyDroid is a free app on the market or you can check out the open source version and compile it yourself over here. It’s a bunch of proxy tools wrapped up into an Android app that give you a really simple way to tunnel traffic to an endpoint. You’ll need root access to get it to work so that’s the main requirement getting started. Why this is cool:

  • Easily tunnel all network traffic, including data normally sent over the radio
  • Target an individual app instead of an entire device
  • Get setup and running in minutes

We’re setting up my Galaxy Nexus to connect over WiFi and tunnel to another computer on the network. That computer is 192.168.1.146. The assumption is that you have a wireless network that allows clients to connect to eachother.

First thing is set your host to be the computer running Burp Suite. For me it’s 192.168.1.146.

Set your port. Burp’s default is 8080.

Under the “Feature Settings” of the app you have two options for what you want to MiTM. You can either do a “Global Proxy” or “Individual Proxy.” Meaning, the whole phone or a single app. The beauty behind this is that it’s just using iptables to make rules based on the UID given to the app. Anyways, choose the app you want to analyze:

You can give it a profile since you may be coming back to it later but that’s really all you have to do besides hitting the “Proxy Switch” button. When you do, you’ll see a connecting alert appear and a request for root access.

 

BurpSuite

Now get BurpSuite setup. If you’ve never done this, I’m sure there are a ton of other posts that will explain it so I’m going to assume you at least have used BurpSuite as a proxy before. The only difference here is that because Android does not officially support global proxies such as ProxyDroid, SSL connections are going to be a problem. Our resident SSL guru, Sid, can explain this. The reason is  that the HTTP CONNECT command, normally associated with HTTP proxies, is changed from including the hostname (instagram.com) to just the IP address. This is also the reason that when you see the traffic show up in BurpSuite, it only shows the IP as the target. We’ll come back to this.

The first thing to do is install Burp’s CA onto the device. With ICS, this couldn’t be easier. If you have to do this on Gingerbread or earlier, you’ll have to do it the old way.

The easiest way that I know to pull the BurpSuite CA is to use a browser and just export it. If that doesn’t make sense, read this.

Add that CA to your device or emulator. In short, transfer the Portswigger file you just exported to the device you’re using for testing and import it through the Security Settings. Check out this post for details.

Now open up Burp and make sure Burp’s proxy is listening on the LAN IP and not just the loopback. 192.168.1.146 for this example.

This is the step that a lot of people get lost on. You can’t use the default “Generate CA-signed-per-host certificate” in Burp Proxy. As discussed above, you have to explicitly put in the hostname that it’s connecting to. If you don’t know the host that it’s connecting to over SSL, you’re going to have to either sniff the connection passively using a packet capture tool (Hint: check out DNS requests), or reverse the app and look for the host names inside the code.  If you have an app that is making connections to different SSL hosts, you’re going to have to setup separate listeners. Here I’m going to MiTM the connections to instagram.com.

If you’re successful, when you log into Instagram, you’ll get the traffic to  show up.

Hurray! You’ve MiTM’d an Android app and now you can watch the traffic during an SSL session. Once you’ve gone through the setup once, it’ll take less than 5 minutes to setup again without any extra hardware besides sharing a wireless network.

Now you can intercept all Hipster Dog related traffic for analysis. Thanks rachelclee33 and bertmb for the pic.

Published date:  01 July 2012

Written by:  mmanning

comments powered by Disqus

Filter By Service

Filter By Date