用于移动应用程序的 HTTPS API 是否可以防止 Wireshark 和类似软件?
Will HTTPS API for a mobile app protect against Wireshark and similar?
假设我有一个移动应用程序,它使用 HTTPS API 调用服务器。
恶意用户是否能够安装 Wireshark + Android 模拟器来检查 API 调用,并通过这样做获得敏感数据(如 API 密钥)?
我想我的问题是 Wireshark(或其他工具)是否可以在加密之前检查请求。
如果你控制客户端,那当然可以。客户端知道的任何事情,其用户也可能知道。
如果不控制客户端,不,外部攻击者无法检查或更改 https 流量,除非他们知道会话密钥。为此,他们通常会使用伪造的证书并让客户端接受它(它不会自己完成,我们又回到了控制客户端的位置)。
HTTPS 请求在通过网络发送之前在您的主机(客户端)上进行了加密,因此不适用于 Wireshark。 Wireshark 可以获取您连接的 HTTPS Web 服务器的主机名,但不能获取 URL.
Would a malicious user be able to install Wireshark + Android emulator to inspect the API calls and by doing so get access to sensitive data like an API key?
I guess my question is whether Wireshark (or some other tool) can inspect the request before it gets encrypted.
是的,如果用户控制他想要拦截 API 呼叫的设备,这是可能的。
博客中post Steal that API Key with a Man in the Middle Attack I show how a proxy tool(MitmProxy) 可用于拦截和自省 https 调用:
While we can use advanced techniques, like JNI/NDK, to hide the API key in the mobile app code, it will not impede someone from performing a MitM attack in order to steal the API key. In fact a MitM attack is easy to the point that it can even be achieved by non developers.
为了保护 https 调用不被拦截、反省和修改,解决方案是使用 certificate pinning:
Pinning is the process of associating a host with their expected X509 certificate or public key. Once a certificate or public key is known or seen for a host, the certificate or public key is associated or 'pinned' to the host. If more than one certificate or public key is acceptable, then the program holds a pinset (taking from Jon Larimer and Kenny Root Google I/O talk). In this case, the advertised identity must match one of the elements in the pinset.
您可以在文章 Securing HTTPS with Certificate Pinning on Android:
中了解如何实现它
In this article you have learned that certificate pinning is the act of associating a domain name with their expected X.509 certificate, and that this is necessary to protect trust based assumptions in the certificate chain. Mistakenly issued or compromised certificates are a threat, and it is also necessary to protect the mobile app against their use in hostile environments like public wifis, or against DNS Hijacking attacks.
You also learned that certificate pinning should be used anytime you deal with Personal Identifiable Information or any other sensitive data, otherwise the communication channel between the mobile app and the API server can be inspected, modified or redirected by an attacker.
Finally you learned how to prevent MitM attacks with the implementation of certificate pinning in an Android app that makes use of a network security config file for modern Android devices, and later by using TrustKit package which supports certificate pinning for both modern and old devices.
虽然证书固定提高了门槛,但它仍然可以拦截、自省和修改 https 流量,因为它可以被绕过,正如我在文章 Bypassing Certificate Pinning:
中所演示的
In this article you will learn how to repackage a mobile app in order to make it trust custom ssl certificates. This will allow us to bypass certificate pinning.
结论
虽然可以绕过证书固定,但我仍然强烈建议使用它,因为它会在用户未尝试执行Man in the Middle attack:
In cryptography and computer security, a man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe they are directly communicating with each other. One example of a MITM attack is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all relevant messages passing between the two victims and inject new ones. This is straightforward in many circumstances; for example, an attacker within reception range of an unencrypted wireless access point (Wi-Fi[1][2]) could insert themselves as a man-in-the-middle.[3]
要加倍努力吗?
OWASP Mobile Security Project - Top 10 risks
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.
假设我有一个移动应用程序,它使用 HTTPS API 调用服务器。
恶意用户是否能够安装 Wireshark + Android 模拟器来检查 API 调用,并通过这样做获得敏感数据(如 API 密钥)?
我想我的问题是 Wireshark(或其他工具)是否可以在加密之前检查请求。
如果你控制客户端,那当然可以。客户端知道的任何事情,其用户也可能知道。
如果不控制客户端,不,外部攻击者无法检查或更改 https 流量,除非他们知道会话密钥。为此,他们通常会使用伪造的证书并让客户端接受它(它不会自己完成,我们又回到了控制客户端的位置)。
HTTPS 请求在通过网络发送之前在您的主机(客户端)上进行了加密,因此不适用于 Wireshark。 Wireshark 可以获取您连接的 HTTPS Web 服务器的主机名,但不能获取 URL.
Would a malicious user be able to install Wireshark + Android emulator to inspect the API calls and by doing so get access to sensitive data like an API key?
I guess my question is whether Wireshark (or some other tool) can inspect the request before it gets encrypted.
是的,如果用户控制他想要拦截 API 呼叫的设备,这是可能的。
博客中post Steal that API Key with a Man in the Middle Attack I show how a proxy tool(MitmProxy) 可用于拦截和自省 https 调用:
While we can use advanced techniques, like JNI/NDK, to hide the API key in the mobile app code, it will not impede someone from performing a MitM attack in order to steal the API key. In fact a MitM attack is easy to the point that it can even be achieved by non developers.
为了保护 https 调用不被拦截、反省和修改,解决方案是使用 certificate pinning:
Pinning is the process of associating a host with their expected X509 certificate or public key. Once a certificate or public key is known or seen for a host, the certificate or public key is associated or 'pinned' to the host. If more than one certificate or public key is acceptable, then the program holds a pinset (taking from Jon Larimer and Kenny Root Google I/O talk). In this case, the advertised identity must match one of the elements in the pinset.
您可以在文章 Securing HTTPS with Certificate Pinning on Android:
中了解如何实现它In this article you have learned that certificate pinning is the act of associating a domain name with their expected X.509 certificate, and that this is necessary to protect trust based assumptions in the certificate chain. Mistakenly issued or compromised certificates are a threat, and it is also necessary to protect the mobile app against their use in hostile environments like public wifis, or against DNS Hijacking attacks.
You also learned that certificate pinning should be used anytime you deal with Personal Identifiable Information or any other sensitive data, otherwise the communication channel between the mobile app and the API server can be inspected, modified or redirected by an attacker.
Finally you learned how to prevent MitM attacks with the implementation of certificate pinning in an Android app that makes use of a network security config file for modern Android devices, and later by using TrustKit package which supports certificate pinning for both modern and old devices.
虽然证书固定提高了门槛,但它仍然可以拦截、自省和修改 https 流量,因为它可以被绕过,正如我在文章 Bypassing Certificate Pinning:
中所演示的In this article you will learn how to repackage a mobile app in order to make it trust custom ssl certificates. This will allow us to bypass certificate pinning.
结论
虽然可以绕过证书固定,但我仍然强烈建议使用它,因为它会在用户未尝试执行Man in the Middle attack:
In cryptography and computer security, a man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe they are directly communicating with each other. One example of a MITM attack is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all relevant messages passing between the two victims and inject new ones. This is straightforward in many circumstances; for example, an attacker within reception range of an unencrypted wireless access point (Wi-Fi[1][2]) could insert themselves as a man-in-the-middle.[3]
要加倍努力吗?
OWASP Mobile Security Project - Top 10 risks
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.