Whenever I talk about an Android app sending data to Asian countries, some folks go crazy.
Let me comfort you: If you are a European user, like me, most apps communicate to US servers as shown below (2h capture ... DJI, AliExpress, Gojek etc).
What? Not to US?? Let me help you!
My issue is simply that I am using a German DNS-Server, which might be a bit biased when it comes to resolving a DNS host to the best suited server.
So lets resolve with DNS over TLS from @Cloudflare
Hmm ... still so much US-traffic, even from Asian apps?
Okay, my fault ... I am still using an European source IP (Germany).
So let me change this, too, by using a VPN exit in Japan!
Damn, even more requests are directed to US, now.
Sorry, I cannot help you - your data will always end up in US ... unless you install Camera360 😉
A bit more insights: Here are the hosts which changed their country (while I changed my appearance like described above).
Excuse the bad visualization, had no better option because of data aggregation order.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
The real problem is actually highlighted in the example linked above.
I tried to "unpin" CONNECT requests (not POST/GET/DELETE etc), which occur because my proxy is visible. Of course TikTok wants to establish a raw tunnel through the proxy with CONNECT.
... time for a break
All failed TLS connections used CONNECT as request method
1) TikTok TLS connections with several Cert Pinning bypasses (targeting Java layer of common SSL implementations, not custom native implementations)
65% error
vs
2) CertPinning bypasses disabled (CA cert is still placed in Android's system store)
100% error
The "success to error ratio" of intercepted requests with CertPinning largely depends on the app and the respective SSL pinning implementation(s) in use. The 65% error of "TikTok" are the "worsed case".
Here's a broader look showing this ration for other apps (no captions)
Did additional event enrichment for failed connection (caused by client disconnect, likely CertPinning).
I want to share an idea for a generic Cert Pinning bypass, cause I have no time to implement it.
Most of my past tweets were about privacy behavior of Android apps (and the techniques/stack I built for analysis).
I recently introduced a new feedback loop from the HTTPS Interception Proxy to my stack, to get some insights in failed client connections.
Example TikTok:
The visualization above shows for which target hosts the TLS connection was terminated by the Android device (error) and for which hosts it succeeded.
Some hosts are tagged with error+request, means: Connections succeeded once the CA certificate of the proxy was inserted ...
... into Android's system store or proper CertPinning bypasses were brought into place.
The connections tagged only with "error" have never been intercepted successfully, because of custom CertPinning implementations (mostly native code with obfuscated/modded "boringssl")
Sohn bekommt @kinderus Überraschungs Ei ... ihr wisst schon, das Ding wo früher mal coole Sachen drin waren ... Getriebe, Metallzahnräder richtige Schwungräder
"Spannung, Spaß, Spiel"
Wir kaufen die nur noch selten, weil Heute nur noch Plastikmüll drin ist.
Mein Sohn rennt also wie angestochen durch die Bude und sucht verzweifelt den Beipackzettel zu dem Plastikmüll.
Ich wundere mich, ist ja alles schon zusammengebaut.
Er findet ihn ...
Ich verstehe, ist ein QR Code drauf, das sagt ihm was.
Er: Papa kann ich den mit deinem Handy scannen und die App spielen (App hat er also auch gleich abgeleitet)
Ich: Vergiss es, kostenlose Apps sind alle 😈... ich beschäftige mich gerade damit.
Put another day into bypassing anti debug/instrumentation measures of the "DJI Go 4" app. Reached my goal, but in contrast to published reports on the app results are very disappointing. Not much is sent outside by the app
To put it into perspective, here are the same visualizations for the Burger King app. Compared to DJI it has to be called a privacy nightmare
The BK app not only sends out your location (before the confirmation dialog in "King Finder" tab), it also combines re-settable and persistent identifiers (Android ID and Advertising ID). This allows bridging user initiated resets of the Advertising ID.
Okay, I managed to instrument the "DJI Go 4" Android application (packed with SecNeo, ptrace-based debugger avoidance).
Here's a quick example with @fridadotre frida-trace utiliy (tracing lib.c->open calls).
Steps to reproduce in a few minutes in this thread ... stay tuned
First things first:
1) I am running the app on a arm32 device (armeabi-v7a) 2) I want to avoid repackaging the APK, thus modifications are done directly on the device, once "DJI Go 4" is installed (requires root) 3) @fridadotre is used in gadget-mode
Step 1)
The SecNeo packed APK ships with various native libs.
The most interesting one is "libDexHelper.so".
Unfortunately this ELF lib has no dynamic section, thus we need an easier target to inject the Frida agent.