If you cannot see the wood for the trees ...

Me talking bullshit (without anybody noticing it).

This thread does not describe an issue caused by cert pinning, but by not running the interception proxy in "transparent" mode.

1/2
The real problem is actually highlighted in the example linked above.

I tried to "unpin" CONNECT requests (not POST/GET/DELETE etc), which occur because my proxy is visible. Of course TikTok wants to establish a raw tunnel through the proxy with CONNECT.

... time for a break
All failed TLS connections used CONNECT as request method Image
Only failed connections within 24 hours, which used valid HTTP request methods are directed towards the invalid host 'shgw.router' (sent from McAfee Security) Image

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Marcus Mengs

Marcus Mengs Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @mame82

19 Dec
Whenever I talk about an Android app sending data to Asian countries, some folks go crazy.

Let me comfort you: If you are a European user, like me, most apps communicate to US servers as shown below (2h capture ... DJI, AliExpress, Gojek etc).

What? Not to US?? Let me help you! Image
My issue is simply that I am using a German DNS-Server, which might be a bit biased when it comes to resolving a DNS host to the best suited server.

So lets resolve with DNS over TLS from @Cloudflare

Hmm ... still so much US-traffic, even from Asian apps? Image
Okay, my fault ... I am still using an European source IP (Germany).

So let me change this, too, by using a VPN exit in Japan!

Damn, even more requests are directed to US, now.

Sorry, I cannot help you - your data will always end up in US ... unless you install Camera360 😉 Image
Read 4 tweets
17 Dec
Comparison of

1) TikTok TLS connections with several Cert Pinning bypasses (targeting Java layer of common SSL implementations, not custom native implementations)
65% error

vs

2) CertPinning bypasses disabled (CA cert is still placed in Android's system store)
100% error ImageImage
The "success to error ratio" of intercepted requests with CertPinning largely depends on the app and the respective SSL pinning implementation(s) in use. The 65% error of "TikTok" are the "worsed case".

Here's a broader look showing this ration for other apps (no captions) Image
Did additional event enrichment for failed connection (caused by client disconnect, likely CertPinning).

I want to share an idea for a generic Cert Pinning bypass, cause I have no time to implement it.

Here is a full event for a failed connection to 'api16-core-c-alisg.tiktokv.com' ImageImageImage
Read 15 tweets
17 Dec
Most of my past tweets were about privacy behavior of Android apps (and the techniques/stack I built for analysis).

I recently introduced a new feedback loop from the HTTPS Interception Proxy to my stack, to get some insights in failed client connections.

Example TikTok: Image
The visualization above shows for which target hosts the TLS connection was terminated by the Android device (error) and for which hosts it succeeded.

Some hosts are tagged with error+request, means: Connections succeeded once the CA certificate of the proxy was inserted ...
... into Android's system store or proper CertPinning bypasses were brought into place.

The connections tagged only with "error" have never been intercepted successfully, because of custom CertPinning implementations (mostly native code with obfuscated/modded "boringssl")
Read 5 tweets
9 Dec
Sohn bekommt @kinderus Überraschungs Ei ... ihr wisst schon, das Ding wo früher mal coole Sachen drin waren ... Getriebe, Metallzahnräder richtige Schwungräder

"Spannung, Spaß, Spiel"
Wir kaufen die nur noch selten, weil Heute nur noch Plastikmüll drin ist.

Mein Sohn rennt also wie angestochen durch die Bude und sucht verzweifelt den Beipackzettel zu dem Plastikmüll.

Ich wundere mich, ist ja alles schon zusammengebaut.

Er findet ihn ...
Ich verstehe, ist ein QR Code drauf, das sagt ihm was.

Er: Papa kann ich den mit deinem Handy scannen und die App spielen (App hat er also auch gleich abgeleitet)

Ich: Vergiss es, kostenlose Apps sind alle 😈... ich beschäftige mich gerade damit.

Sohn sauer, ich gehe Rauchen
Read 13 tweets
8 Dec
Put another day into bypassing anti debug/instrumentation measures of the "DJI Go 4" app. Reached my goal, but in contrast to published reports on the app results are very disappointing. Not much is sent outside by the app
To put it into perspective, here are the same visualizations for the Burger King app. Compared to DJI it has to be called a privacy nightmare
The BK app not only sends out your location (before the confirmation dialog in "King Finder" tab), it also combines re-settable and persistent identifiers (Android ID and Advertising ID). This allows bridging user initiated resets of the Advertising ID.
Read 8 tweets
7 Dec
Okay, I managed to instrument the "DJI Go 4" Android application (packed with SecNeo, ptrace-based debugger avoidance).

Here's a quick example with @fridadotre frida-trace utiliy (tracing lib.c->open calls).

Steps to reproduce in a few minutes in this thread ... stay tuned
First things first:

1) I am running the app on a arm32 device (armeabi-v7a)
2) I want to avoid repackaging the APK, thus modifications are done directly on the device, once "DJI Go 4" is installed (requires root)
3) @fridadotre is used in gadget-mode
Step 1)

The SecNeo packed APK ships with various native libs.
The most interesting one is "libDexHelper.so".

Unfortunately this ELF lib has no dynamic section, thus we need an easier target to inject the Frida agent.

Here's an excerpt of the apps '/proc/self/map' Image
Read 14 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!