MITMproxy

Intro

MITMproxy is proxy that allows easily to make MITM attacks on traffic that come trough proxy. It supports HTTP/HTTPS and SOCKS5 modes. It allow to modify traffic on the fly or just trigger some interesting info for further analysis. Its good to for researching API interfaces on mobile platforms.

Project page is https://mitmproxy.org/ where you can find additional info.

Install

There is possible to install mitmproxy from distribution repositories

On Debian like systems

sudo apt-get install mitmproxy

On archlinux system

pacman -S mitmproxy

Sources

Mitmproxy uses github for development here is project page on github

https://github.com/mitmproxy/mitmproxy

If you whant just clone it

git clone https://github.com/mitmproxy/mitmproxy.git

Using

There is many scenarios when you would like to use mitmproxy here is some that are for fun or serious job to do with proxy.

Use proxy for browser

Okey lets cover just setting up mitmproxy in simple scenario for some browser.

Here is snippet how to run mitmporxy in HTTP mode on port 10000

#!/bin/sh
export LANG=en_US.UTF-8
mitmproxy --port 10000

Setup your browser to http proxy mode and you try some http pages and will see all requests.

Setting up your own proxy for Android

Lets try now mitmproxy as Android proxy. First way how to setup proxy is

As application can just bypass proxy setting that you set in Android default way, its better way to use ProxyDroid otherwise some APPs will ignore proxy settings.

Setting up mitmproxy certificate on Android device

mitmproxy certificates are stored in ~/.mitmproxy directory

To install certificate in Android Setting->Security you should choose option Install from storage and point where you saved mitmproxy certificate.

How to transfer mitmproxy certificate on you device is up to you, there is many ways from old-school ftp style to some Bluetooth connected file sharing.

Final step is to setup proxy. You can do it in Network menu but applications can bypass it. That why rooted device with ProxyDroid is better solution. Set in ProxyDroid you port to 8080 (default port of mitmproxy) and Proxy Type to SOCKS. You can choose also HTTP or HTTPS proxy type but if application uses both of them then you will not see one or other.

Here is more descriptions how install mitmproxy cert's not only for Android https://mitmproxy.org/doc/certinstall.html

Starting mitmproxy in SOCKS5 mode

mitmproxy --socks

Now when you will use apps you will see how some traffic going in or out. Also as mitmproxy is HTTP/HTTPS proxy you will not see if there is some other protocols.

Here is some top applications on Android Top 50 you can search for many other list of "top" Android applications.

Now when you have something to explore you there is few tips.

Conclusion

As any open source project mitmproxy suffers from usual open source project diseases, like lack of support bad documentation and small amount users who use it professionally. From other point it written in python and its easy to hack into source by extending with your own use case specific scripts. And unlimited libraries that python have allows to integrate mitmproxy in anything you would like from statistical libraries for analyzing traffic to where you imagination stops.

If speak about how applications work on Android then they all definitely suck. There you can find plain usernames/password sended in HTTPS to secret API's whose only security is trust in HTTPS. Many applications uses many external API's for extra services with requires plain password to authenticate. And definitely OAuth 2.0 suck more then OAuth1.0 from user security point. Here is some talks from guy who worked on OAuth standard http://hueniverse.com/2012/07/26/oauth-2-0-and-the-road-to-hell/comment-page-1/. Probably you will find much more about how security suck in application API level.

Links

  1. https://mitmproxy.org/
  2. https://github.com/mitmproxy/mitmproxy