How to intercept encrypted HTTP traffic on a mobile device
Reverse engineering of the Onavo Protect VPN service for Android allowed us to define methods that can be used to intercept encrypted HTTPS traffic on a mobile device. In short, the attacker must install his own application and a CA (certification authority) certificate on the phone.
For example, in the Russian Federation a law has come into effect that requires mandatory pre-installation of specific applications on all smartphones from 2025. In theory, if there are vulnerabilities, this could threaten the security of many users.
An example of intercepting encrypted traffic shows technical analysis operation of the Facebook mobile application on devices with the Onavo Protect application installed (a security program that works like a VPN).
Background
From
It follows that the surveillance project within the company was called Project Ghostbusters. It was part of the In-App Action Panel (IAPP) program, which used a technique to “intercept and decrypt” encrypted app traffic from Snapchat users and later YouTube and Amazon users. Initially, this was carried out for the purpose of collecting analytics, that is, monitoring user actions.
To do this, the developers used the Onavo Protect program, which Facebook bought in 2013. In 2019 service was closed after investigations into its misuseand the developers fined.
Technical analysis
In this case, HTTPS traffic was intercepted via a MITM attack. The developers themselves called this technique 'ssl bump', according to
from caching proxy
. The attack algorithm is schematically depicted on the CDPV.
The interception was carried out using a mobile application Onavo Protectwhich prompted the user to install the CA certificate into a trusted store on the device. In addition, the function required several permissions on the phone, which the application asked for supposedly “to display traffic statistics”:
Although court documents state that certificates are “generated on the server and sent to the device,” some older versions of the program contain certificates directly within the application as built-in assets old_ca.cer And new_ca.cer:
The certificates are in the folder assets:
One of the certificates is valid until 2027. A method was found in the application code KeyChain.createInstallIntent()which installed the certificate:
There is also a procedure to check whether the certificate is installed or not:
This method was used only in earlier versions of the program; since Android 7, the user had to install certificates manually.
All device traffic then went through the VPN to the infrastructure controlled by the attacker. Traffic is redirected to a Squid caching proxy configured as a transparent proxy with the function ssl bump.
A copy of the email describing the technique from court documents:
Apart from the main function of collecting analytics from other applications by abusing permission from the user, Onavo has functions to obtain other sensitive data such as IMSI subscriber:
Although the story happened a few years ago, from a technical point of view it is interesting to see how far app developers can go in abusing permissions on mobile phones (there is currently a lawsuit filed against the development company lawsuit). Also of interest is the launch of the CA installation procedure and how certificates were added to the operating system.
Shortly after the described story, a new version of Android 11 was released in 2020, in which it is almost impossible to install your own CA certificate, which is valid for all applications, so on new smartphones developers offer use other techniques, e.g. Accessibility API.
