The practical exercises shall foster your understanding of topics related to the lecture. In this course we pursue an approach which is slightly different from what you might have experienced in other courses: your ideas may form part of an assignment. Instead of exercises where each student tries to solve the same task, the seminar-style class enables us to highlight your individual contribution. Now, what does that mean in practice? During the course, you get two assignments. While the first task intends to introduce you to the subject, the second one challenges your individual skills and should enable you to work on a project, related to the lecture, which is fun to you.
The steps for each of the apps are:
- Try to intercept its traffic using a proxy server
- If the application uses only HTTP or it uses HTTPS, but insecure certificate validation (i.e. the proxy CA is accepted): Document and go to step 6
- If you use an iOS device that is not jailbroken: Find another app, go to 1
- Decompile the application to figure out how certificate pinning is implemented (using apktool/jadx or Ghidra/Hopper)
- Is an HTTP library used?
- Android: Is a custom TrustManager or HostnameVerifier used?
- Android: Is the Network Security Configuration used?
- Android: If no NSC is present (secure default), or a secure NSC is used, make it insecure
- Modify NSC to trust user-installed certificates
- Recompile and resign the APK
- Install resigned APK and proceed
- (If the modified APK crashes due to APK signature verification: Document the crash in detail, go to 7)
- Analyse the server communication
- Is any sensitive information sent from the device?
- Is there any hard-coded secret in the app (i.e. Authorisation tokens, …)
- Does the app collect analytics?
- Any other interesting find in the communication?
- Document all findings in a report (submit a PDF document including screenshots and textual analyses)
In the following, a small list of task-related links is assembled. This may help you to deepen your understanding of what you should do.
- JADX: Tool for decompiling Android APKs
- Apktool: Tool for Decompiling and Recompiling Android APKs
- Uber-APK-Signer: Simplified APK signing
- Network Security Configuration