Looking at Phone Apps
Photo by Árpád Czapp on Unsplash
Recently I posted on Mastodon that the TikTok app was insecure and I was surprised anyone in Infosec even loaded the app on their phones. A few short years ago I downloaded the APK for the TikTok app, decompiled it, and simply scanned through the app looking at the Manifest and URLs embedded in it. After 5 minutes I deemed it a nightmare and did nothing else. I was not the only voice out there in Infosec-world talking about this. I don’t even remember too many details. I was just thinking okay, this uploads data to Chinese government monitored and regulated locations. I also have a bit of history with the PRC, so this only increased my wariness. In my defense, I had been looking at a lot of apps around the time I looked at TikTok, hence the lack of details specific to that particular app as the only apps that stand out to me are apps that don’t harvest personal data.
It’s not just the Infosec community, the US Government have gotten into the act of talking evil about TikTok, as well as some state legislatures, as summarized in a recent Forbes article.
Check it yourself
In response to my Mastodon post where people have asked for the details about TikTok, I’ve mentioned to people that I’ve done presentations on IoT devices and their apps as well as phones in general, and I even blogged about how to sniff traffic, so I promised to pull together some resources. Hence this blog post. In it are a few resources I recommend that I’ve personally had a hand in creating. If you don’t like them or feel they don’t go far enough, they will certainly provide enough fodder for Internet searches for more information. Yes some of this stuff is a few years old but still quite relevant. I still use the sniffing station regularly for all kinds of research.
While I could revisit TikTok, I do have a pretty full plate right now (plus really I need a new “burner” phone as I won’t load this shit app on a phone I care about), so if you can’t wait I’d encourage folks to use the above resources and get to hacking.
Bypassing Certificate Pinning
I quickly reviewed those references above, and while most things seemed to be covered, I did not go into detail on how to get around certificate pinning, which you will need to do If you want to truly see what data is being gathered by TikTok or any other app. I’ve included those steps below. A warning in advance, every app is different, so you’ll have to do some digging and experimenting if you run into problems.
If you’re curious about what certificate pinning is, a quick summation is that it is a method which allows an app on a phone from having its TLS sessions intercepted by an unauthorized third party. This is accomplished by having a certificate imbedded within the app, and when presented with the public key from a website it if checked against the local certificate to ensure no third party has inserted their own key. And guess what? In this scenario, YOU are that third party. Follow this link for more information on certificate pinning.
You’ll need a setup like my MITM station I referenced above, which is basically a Linux system set up just to get in the middle of sniffing in any situation when you want to examine Wi-Fi traffic. Side note: You could set this up to sniff laptops (try a new laptop on first boot out of the box running Windows, and see all the utter crap!) and IoT devices in addition to phones, so hours of hacker fun.
The first thing is to use mitmproxy and try to sniff out the encrypted traffic. Follow the steps at the website and see if this alone will allow you to bypass certificate pinning. If you still can’t get to the data, read on, as you’re going to need to settle into your mom’s basement, adjust your indoor sunglasses and gray hoodie, and get busy.
Prerequisites
Review the sources above, as it helps to know the steps in advance. In the BSidesDFW talk I specifically cover the steps one must follow. However for the cert pinning bypass there are a few tools you’ll need, so make sure you have apktool, adb, OpenJDK (or JRE) so you have keytool and jarsigner, and you should be good. This gets you smali output instead of Java source code, and this is actually enough if all you want to do is bypass certificate pinning. If you wish to dive deeper and actually decompile, you’ll need something like JADX. If you need help installing any of these prerequisites, search online. There are plenty of resources including entire blog posts and presentations on using these tools.
Download, Disassemble, Do stuff
Download the version of the APK you wish to experiment on from a reliable source - apkpure.com is fairly popular. As the APK file is basically a zip file, using apktool to unzip it:
claw:~ thegnome$ apktool d example.apk -o example_apk_out
In the output directory specified with -o, you’ll have the decompressed smali code. What you are looking for is the spots in the code that do the actual certificate pinning. Some searching for things like “cert” and “pinning” are a good start, I’ve also looked for things like “Trusted” and “X509TrustManager”. Let’s say we search and find three methods called “checkClientTrusted,” “checkServerTrusted” and “getAcceptedIssuers.” By adding a “return-void” opcode before the first line of each of these three methods, this should essentially disable certificate pinning. If you’re unsure about adding the return-void, poke around in the code until you see how return-void is used, and just try it. Worse comes to worse you end up with errors or it doesn’t work, just keeping experimenting.
Reassemble the app like so:
claw:~ thegnome$ apktool b example_apk_out/ -o modified.apk
Generate a key with keytool to sign the app and then sign it with jarsigner:
claw:~ thegnome$ keytool -genkey -v -keystore my-key.keystore \ -alias alias_name -keyalg RSA -keysize 2048 -validity 1000 claw:~ thegnome$ jarsigner -verbose -sigalg SHA1withRSA \ -digestalg SHA1 -keystore my-key.keystore modified.apk
If you get the “Please specify alias name” then add “alias_name” to the end of the jarsigner command. The 1000 is the number of days your signature is good for. Now you’re ready install the apk onto the Android phone. Cable the phone to the computer’s USB port and do the following:
claw:~ thegnome$ adb install modified.apk
Now you can use mitmproxy on the sniffing setup and look at all of the traffic. This really helps verify exactly what an app is transmitting to whatever cloud host it is communicating with.
Conclusion
I didn’t make this a step-by-step guide for finding what an app is actually doing, and truthfully that varies heavily from app to app and really depends on what you’re looking for. Searching an app for hardcoded tokens, passwords, IP addresses, hostnames, and looking up all of the included libraries and packages can tell you a lot. This is especially true if some of those packages are associated with data brokers and advertising firms (check against Pi-hole lists is a quick method to verify), or are old and have security flaws. But a sniffer confirms it. Remember an old hacker saying “pcap or GTFO”.
Hopefully with the links I’ve provided and the tips on certificate pinning bypassing, this is enough to get you started, and I encourage you to look at apps like TikTok to find out for yourself. I haven’t looked at TikTok for a couple of years, so who knows what you’ll find!
