WiFi Pineapple; Decrypting SSL Traffic on Mobile Applications
Introduction
Most people view the WiFi Pineapple as in intrusive piece of kit. Marketed as a WiFi device that can trick unsuspecting clients to connect to the AccessPoint (AP) because the device is sending out Probe responses that match devices Probe requests. From there a victim is then susceptible to Man-in-The-Middle (MiTM) attacks, interception and traffic manipulation. The device has been famously used on Channel 4’s Derren Browns Apocalypse (http://en.wikipedia.org/wiki/Derren_Brown:_Apocalypse), where the device was used to intercept and manipulate the BBC news webpage, to make a suggestible person believe
At Pentura we not only use the ‘Mean-Yellow-Machine’ for legitimate Wireless engagements; we also find it very useful for mobile application testing.
Mobile App Testing using the Pineapple
Mobile application testing sometimes has its challenges, or rather setting up a proxy (or transparent proxy) to observe the data communication can sometimes be a pain. The WiFi pineapple makes this task easier with infusions like:
- SSLStrip
- Ettercap
These modules are handy to strip away the SSL encryption to reveal the data transfer as plain-text protocols (usually decrypted as HTTP/XML/SOAP/JSON based requests/responses). The WiFi Pineapple enables us to see what is actually going on in the background between the application and the developers server. Especially if an application is using adverts, we can see what information is being sent from our phones over the internet (encrypted or not) to 3rd-Parties.
Invasion of Privacy???
Below is a small list of elements sent from mobile applications over the internet:
- Phone Model: Iphone5,2 or HTC One X+
- Operating System: IOS 7.0.3 or Android 4.3 (JellyBean)
- IsonCellular: true or false
- Carrier: eg Vodafone, O2, EE
- IMSI no: xxxxxxxxxxxxx
- TimeZone: GMT
- Phone number: eg +4477xxxxxxxx
- Webuseragent eg Mozilla/5.0 (iPhone; CPU iPhone OS 7_0_3 like Mac OS X)
- Phone name: myname’s_iPhone or android-23f2342cbd32323dd
- Wireless AP: eg. BTBusiness-Hub3-34J
- IPaddress: eg. 192.168.1.20 (internal NAT)
- Screen resolution: e.g. “320×568”
- Volume_level: eg 0.0657
- Clientdatetime: <current time and date>
Is all of the above really necessary? Marketing may argue this is valid information, but isn’t knowing that Im playing your games enough, I’ll settle that you want to know the OS – for possible future development or improvements. But do you really need to know my carrier? my number? my IMSI? my Phones name (my name)? my WiFi SSID and my internal IP address range.
Of the applications that have been officially tested by Pentura, we are working with developers to minimise the intrusion of this personal privacy. We recommend that UK developers should comply with the UK’s Data Protection Act 1998; The basic eight principles of the act are:
- Data shall be processed fairly and lawfully;
- Personal data shall be secure;
- Personal data shall be obtained and processed only for specific and lawful purposes;
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are produced;
- Personal data shall be accurate;
- Personal data must not be kept longer than necessary;
- Personal data shall be processed in accordance with the data subject’s under this act;
- Personal data shall not be transferred to countries without adequate protection.
However, not all application developers are bound by UK law and as such our liberties are constantly being abused! So think hard when you download your free games onto your mobile device…. You don’t know how much of your personal data is being leaked across the internet???
Screenshot
Sensitive and identifying information has been obscured as much as possible. But feel free to try this on your own devices.
Pentura Labs's Blog 