MITMproxy is proxy that allows easily to make MITM attacks on traffic that come trough proxy. It supports HTTP/HTTPS and SOCKS5 modes. It allow to modify traffic on the fly or just trigger some interesting info for further analysis. Its good to for researching API interfaces on mobile platforms.
Project page is https://mitmproxy.org/ where you can find additional info.
There is possible to install mitmproxy from distribution repositories
On Debian like systems
sudo apt-get install mitmproxy
On archlinux system
pacman -S mitmproxy
Mitmproxy uses github for development here is project page on github
If you whant just clone it
git clone https://github.com/mitmproxy/mitmproxy.git
There is many scenarios when you would like to use mitmproxy here is some that are for fun or serious job to do with proxy.
Use proxy for browser
Okey lets cover just setting up mitmproxy in simple scenario for some browser.
Here is snippet how to run mitmporxy in HTTP mode on port 10000
1 2 3
#!/bin/sh export LANG=en_US.UTF-8 mitmproxy --port 10000
Setup your browser to http proxy mode and you try some http pages and will see all requests.
Setting up your own proxy for Android
Lets try now mitmproxy as Android proxy. First way how to setup proxy is
As application can just bypass proxy setting that you set in Android default way, its better way to use ProxyDroid otherwise some APPs will ignore proxy settings.
Setting up mitmproxy certificate on Android device
mitmproxy certificates are stored in ~/.mitmproxy directory
To install certificate in Android Setting->Security you should choose option Install from storage and point where you saved mitmproxy certificate.
How to transfer mitmproxy certificate on you device is up to you, there is many ways from old-school ftp style to some Bluetooth connected file sharing.
Final step is to setup proxy. You can do it in Network menu but applications can bypass it. That why rooted device with ProxyDroid is better solution. Set in ProxyDroid you port to 8080 (default port of mitmproxy) and Proxy Type to SOCKS. You can choose also HTTP or HTTPS proxy type but if application uses both of them then you will not see one or other.
Here is more descriptions how install mitmproxy cert's not only for Android https://mitmproxy.org/doc/certinstall.html
Starting mitmproxy in SOCKS5 mode
Now when you will use apps you will see how some traffic going in or out. Also as mitmproxy is HTTP/HTTPS proxy you will not see if there is some other protocols.
Here is some top applications on Android Top 50 you can search for many other list of "top" Android applications.
Now when you have something to explore you there is few tips.
- You could experience that application works but you dont see any traffic mitmproxy, check network traffic with wireshark maybe just non-http protocol used.
- If application fail to connect while you sure that proxy works properly it could be it use some MTIM attack protection such as certificate pinning.
- If application fail to connect while you sure that proxy works run such application with different MTIM proxy like Charles it could be just mitmproxy bug (as its in active development)
- If there is some streaming in application and it doesnt work with mitmproxy confirm that with Charles sometime mitmproxy couldnt stream http while Charles could do it.
As any open source project mitmproxy suffers from usual open source project diseases, like lack of support bad documentation and small amount users who use it professionally. From other point it written in python and its easy to hack into source by extending with your own use case specific scripts. And unlimited libraries that python have allows to integrate mitmproxy in anything you would like from statistical libraries for analyzing traffic to where you imagination stops.
If speak about how applications work on Android then they all definitely suck. There you can find plain usernames/password sended in HTTPS to secret API's whose only security is trust in HTTPS. Many applications uses many external API's for extra services with requires plain password to authenticate. And definitely OAuth 2.0 suck more then OAuth1.0 from user security point. Here is some talks from guy who worked on OAuth standard http://hueniverse.com/2012/07/26/oauth-2-0-and-the-road-to-hell/comment-page-1/. Probably you will find much more about how security suck in application API level.