Advanced guide - How to use PiRogue to intercept the TLS traffic of a mobile app

Objective

The objective of this guide is to provide a step-by-step procedure allowing you to intercept and decrypt the TLS traffic of an Android application using PiRogue capabilities.

Mobile application dynamic analysis

Mobile application dynamic analysis is a sophisticated approach to evaluating the behavior of mobile apps while they are actively running on a real device or an emulator. Unlike static analysis, which examines the app’s code without executing it, dynamic analysis observes the app’s actions and interactions in real-time, providing a deeper understanding of its runtime behavior and potential security vulnerabilities.

Dynamic analysis involves executing the app in a controlled environment and monitoring its interactions with the operating system, network resources, and other applications. This process reveals how the app handles user input, processes data, and communicates with external services. By observing these behaviors, security analysts can identify potential vulnerabilities, such as improper data handling, insecure network communications, or unauthorized access to sensitive resources.

The outcomes of mobile application dynamic analysis can provide valuable insights into the app’s security posture and potential risks:

  • Identifying hidden behaviors: Dynamic analysis can uncover hidden or obfuscated behaviors that may not be evident from static code inspection. This includes actions triggered by specific user inputs, interactions with external servers, or malicious code hidden within legitimate app functions.

  • Detecting runtime vulnerabilities: Dynamic analysis can expose vulnerabilities that manifest during runtime, such as buffer overflows, memory leaks, or improper input validation. These vulnerabilities may not be detectable through static analysis, as they only occur when the app is actively processing data or interacting with external systems.

  • Analyzing network communications: Dynamic analysis allows for monitoring of network traffic generated by the app, revealing potential data leaks, insecure communication protocols, or connections to suspicious servers. This can help identify unauthorized data transfers or potential backdoors for attackers.

  • Evaluating app resilience: Dynamic analysis can assess the app’s resilience to unexpected inputs or abnormal conditions. This includes testing how the app handles malformed data, unexpected user actions, or attempts to exploit vulnerabilities.

  • Understanding app permissions: Dynamic analysis can reveal how the app utilizes permissions granted to it, such as access to contacts, location data, or device sensors. This can uncover excessive or unauthorized permission usage that could pose privacy risks.

In summary, mobile application dynamic analysis provides a comprehensive assessment of an app’s behavior and security posture, uncovering hidden vulnerabilities, analyzing runtime interactions, and evaluating overall resilience. This approach plays a crucial role in ensuring the security and privacy of mobile applications and protecting users from potential threats.

The PiRogue is designed to conduct mobile application dynamic analysis on real devices using tcpdump to capture the entire network traffic and using Frida to instrument the application to be analyzed.

Mobile application dynamic instrumentation is a powerful technique for modifying and monitoring the behavior of mobile apps while they are actively running. It involves injecting custom code into the app’s runtime environment, enabling real-time observation and manipulation of its functions, data flows, and interactions with the operating system.

Dynamic instrumentation provides a deeper understanding of an app’s inner workings, allowing for various security and debugging tasks:

  • Hooking functions: Intercept and modify the behavior of specific functions within the app, enabling the analysis of data passed to or from those functions.

  • Monitoring data flows: Track the movement of data within the app, revealing how it handles sensitive information, communicates with external services, or stores data locally.

Frida is a popular open-source dynamic instrumentation toolkit that facilitates these tasks. It provides a cross-platform framework for injecting custom JavaScript code into running apps on various platforms, including Android, iOS, and desktop operating systems. Frida’s capabilities include:

  • Intercepting function calls: Frida can intercept calls to specific functions within the app, allowing for modification of their behavior or analysis of their parameters and return values.

  • Monitoring memory access: Frida can monitor memory access patterns, revealing how the app allocates, reads, and modifies data in memory.

  • Manipulating app state: Frida can modify app variables, alter control flows, and inject events, enabling fine-grained control over the app’s behavior.

Frida’s versatility makes it a valuable tool for security researchers, reverse engineers, and app developers who need to understand and manipulate the inner workings of mobile apps at runtime.

More precisely, PiRogue uses Frida to:

  • Retrieve TLS encryption keys directly from the device’s memory allowing TLS traffic decryption afterwards.
  • Capture all AES and RSA cryptographic operations by retrieving initialization vectors, algorithms, ciphertext and cleartext allowing to decrypt encrypted payloads.
  • Save device’s identifiers and properties such as IMEI, advertising ID and carrier name allowing automatic data identification afterwards.
  • Trace all operations on socket allowing to identify the stack trace that carried out a specific network communication.

To conduct the analysis of an application installed on the rooted Android device dedicated to dynamic analysis and the device is connected with both USB and Wi-Fi to the PiRogue, the command

$ pirogue-intercept-gated -o <path to the output directory>

will take care of starting the network traffic capture, the instrumentation of the application and the recording of the device’s screen.

Before starting the capture, the command will install the Frida server on the mobile device of the same version as the version of Frida that is installed on the PiRogue. Once installed, the command will start capturing the network traffic, recording the screen of the device and instrumenting any app or process that is spawned until the capture is stopped.

The Frida scripts used to instrument the application and the operating system can be reviewed on GitHub.

It is possible to open the PCAP file with Wireshark and specify the key log file in Settings > Protocols > TLS. This way, Wireshark will automatically decrypt TLS traffic.

TLS traffic decryption techniques

Decrypting TLS-encrypted network traffic of a mobile application requires specialized techniques to overcome the security measures employed by the app and the underlying operating system. Two primary techniques can be employed for this purpose:

Man-in-the-Middle (MITM) attack

MITM attacks involve intercepting and modifying the communication between the mobile app and its intended server. This requires positioning a proxy or a custom certificate authority (CA) between the app and the server, effectively impersonating the server to the app and vice versa.

To establish the MITM attack, the device’s trust store needs to be modified to accept the custom CA certificate. This can be achieved by installing a custom root certificate on the device or configuring the app to trust a specific proxy. Once the MITM proxy is in place, it can intercept the encrypted traffic, decrypt it using its own private key, and re-encrypt it before forwarding it to the intended server.

Retrieving TLS Keys from device memory

This technique involves extracting the TLS session keys directly from the device’s memory while the app is actively communicating with the server. This requires root access or a jailbroken device to gain access to the memory space where the keys are stored.

Once root access is obtained, tools like Frida can be used to hook into the app’s memory and extract the TLS session keys. These keys can then be used to decrypt the captured network traffic offline, revealing the plaintext communication between the app and the server.

Certificate Pinning is a security measure that aims to prevent MITM attacks by embedding the server’s certificate or its public key hash directly into the mobile app. This allows the app to verify the authenticity of the server’s certificate during communication, ensuring that it is not being intercepted by a malicious proxy.

With certificate pinning in place, the app will only trust connections to the server if the presented certificate matches the embedded one. This makes it more difficult for attackers to successfully perform MITM attacks, as they would need to compromise the app itself or the device’s operating system to bypass the pinning mechanism. Disabling certificate pinning requires root access or a jailbroken device to dynamically modify the behavior of the application.

Certificate pinning enhances the security of mobile app communications, but it also poses challenges for legitimate security analysis and penetration testing. In such cases, techniques like dynamic instrumentation or memory dumping may be required to bypass pinning and gain access to the encrypted traffic.

This Frida script used by the PiRogue aims to intercept and log TLS (Transport Layer Security) key material used by an Android application. It achieves this by hooking into the OpenSSL library and its associated functions responsible for creating and managing SSL contexts.

The script defines a function log_ssl_keys(), which serves as the main entry point for the keylogging process. It first attempts to hook into the standard libssl.so library, the default OpenSSL library used by most applications. It calls _log_ssl_keys() to attach a callback function to the SSL_CTX_new function, which is responsible for creating new SSL contexts.

The _log_ssl_keys() function defines a custom callback function log_key() that gets invoked whenever a new SSL context is created. This callback function retrieves the SSL key material from the context and logs it to the console and a file named sslkeylog.txt.

The script also handles the scenario where the application relies on Google’s Conscrypt security provider, which uses a different OpenSSL library. It identifies the relevant Conscrypt libraries and hooks into their SSL_CTX_new functions using the same approach as with the standard libssl.so.

In addition, the script intercepts the dlopen function, which is responsible for loading dynamic libraries. This allows the script to hook into the Conscrypt libraries even if they are loaded after the script has started running.

Requirements

To follow this recipe, you need:

  • an up-to-date PiRogue
  • a rooted Android device

Procedure

PiRogue comes with a pirogue-intercept-* helpers to help you intercept encrypted TLS traffic from applications, even in presence of TLS certificate pinning.

These helpers are meant to:

  • capture the network traffic
  • instrument a specific application or any launched application

First, SSH onto your PiRogue. Attach your smartphone to the PiRogue through USB and make sure “USB debugging” is on and working.

Make sure to enable ADB Transfer files by clicking on the Android System notification.

Then check if the PiRogue sees your device by running the command:

adb devices

You should see your device listed. If not, be sure to use the right USB cable for your device. If the issue remains, check that you have the rights to interact with USB devices. To do so, run the command groups to list the groups you belong to and check if the group plugdev is listed. If not, execute the following command sudo usermod -aG plugdev $LOGNAME and reboot.

Identify and install the application

Android applications are identified by their package name. As an example, the French weather forecast application is fr.meteo. You can get the package name either from Google Play URL or from any tool analyzing Android apps such as Pithus, Virus Total, etc. In our example, the Google Play URL looks like https://play.google.com/store/apps/details?id=fr.meteo, the package name of the application is specified after id=.

Once you have identified the application you want to analyze, you have to download and install it on your target device. If you need to download the application from Google Play, we recommend to use apkeep (not installed by default on PiRogue).

Finally, to install the application, run the following command:

adb install <APK file>

If your application contains multiple APKs (like in XAPK), use the command adb install-multiple <list all apks>.

Don’t launch the application.

Instrument and intercept

Once the application to be analyzed is installed on your Android device, connect your device to the PiRogue Wi-Fi network and run the following command:

pirogue-intercept-gated -o $(date +%Y%m%d%H%M)_output

Limitations

PiRogue does not support all TLS libraries. This means that the PiRogue may not be able to capture some TLS traffic.

Adapt the command according to your output directory of choice. Once started and showing Waiting for data, manually launch the application you want to analyze.

Command capturing TLS traffic

Now, interact with the application freely. When you are done interacting with the app, hit Ctrl+C on your keyboard to stop interception.

Tips

Make sure that the application you want to be analyzed is not running in background. You can, for example, force stop it in Settings > Apps, select the application and click on Stop.

If you want to continue the analysis in Colander, jump to our guide on how to use Colander to analyze the network traffic of an app.

Decrypt the traffic

If we run the previous command with sudo, we have to fix the permissions of generated files by running:

sudo chown -R pi:pi <path to the output directory>

Then enter the output directory with:

cd <path to the output directory>
Command fixing file permissions

Next, we generate a PCAPNG file containing both the TLS keys and the captured traffic:

editcap --inject-secrets tls,sslkeylog.txt traffic.pcap decrypted.pcapng

Next, we export the decrypted traffic in JSON:

tshark -2 -T ek --enable-protocol communityid -Ndmn -r decrypted.pcapng > traffic.json
Command decrypting TLS traffic

Finally, to view the decrypted traffic, run:

pirogue-view-tls -i traffic.json -t socket_trace.json
Command displaying TLS traffic

Note

The display of the stack trace has been added to pirogue-cli in version 1.0.5. Be sure to upgrade your PiRogue.

If you face any issue, join the Discord channel to get help.

Generated files

The commands pirogue-intercept-single and pirogue-intercept-gated generate the following files:

  • aes_info.json contains all AES and RSA encryption/decryption operation with both cleartext and cyphertext
  • device.json contains various information about the device such as IMEI, Android version
  • experiment.json contains timing information such as the start and end date of the experiment
  • screen.mp4 contains the video recording of the device’s screen
  • socket_trace.json contains the stack trace of all operations on sockets (open, close, read, write…)
  • sslkeylog.txt contains the TLS encryption keys in the NSS key log format
  • traffic.pcap contains the entire network traffic captured during the experiment
  • ad_ids.txt contains all Android advertising IDs issued during the experiment

Did you know?

You can open the PCAP file with Wireshark and specify the key log file in Settings > Protocols > TLS. This way, Wireshark will automatically decrypt TLS traffic.