如何保护 android 应用免受网络流量捕获
How to secure android app from network traffic capturing
我的应用正在发出一些 http 请求,我不希望其他人看到这些请求的内容。目前,我可以使用 Fiddler 轻松检查我的应用程序在做什么。现在,为了跟踪我 phone 上的网络流量,我不得不更改我的 Wi-Fi 设置并使用代理服务器连接到 Internet。即我的电脑。是否可以通过编程方式检查 phone 是否正在使用代理?如果知道 phone 正在使用代理,我会通过显示一些错误对话框来禁止用户使用该应用程序。有什么方法可以解决这个问题吗?我见过应用程序可以在正常的 Wi-Fi 设置下工作,但在使用代理时不能,因此我认为有一个解决方案。顺便说一下,我正在使用改造库来提出请求。
将您的流量转为使用 HTTPS 将帮助保护它免受像 Fiddler 这样的网络窥探。
但是,Fiddler 可以在用户的帮助下解密 HTTPS 流量,这意味着您不能只使用 HTTPS,您还需要实施证书固定,客户端代码验证服务器是否提供了一个特定的证书(不是Fiddler 生成的拦截证书)。
然而,即使这样也不能真正解决问题,因为用户可以简单地越狱他们的设备并禁用您的证书固定代码。
您可能应该退后一步,重新考虑您具体要防范的威胁是什么,然后适当地更新您的问题。
public static boolean isNetworkConnected(final Context context) {
boolean cks = false;
final Activity activity = (Activity) context;
ConnectivityManager connMgr = (ConnectivityManager)
context.getSystemService(Context.CONNECTIVITY_SERVICE);
boolean isvpnConn = false;
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP) {
for (Network network : connMgr.getAllNetworks()) {
NetworkInfo networkInfo = connMgr.getNetworkInfo(network);
if (networkInfo.getType() == ConnectivityManager.TYPE_VPN) {
isvpnConn |= networkInfo.isConnected();
AlertDialog.Builder alert = new
AlertDialog.Builder(getActivity());
alert.setMessage("Sonthing want wrong!! Please
disconnect VPN and try again.")
.setPositiveButton("OK", new DialogInterface.OnClickListener() {
public void onClick(DialogInterface dialog, int which) {
dialog.dismiss();
activity.finish();
activity.finishAffinity();
}
}).setNegativeButton("Cancel", null);
AlertDialog alert1 = alert.create();
alert1.show();
cks = false;
} else {
cks = true;
}
}
}
return connMgr.getActiveNetworkInfo() != null && connMgr.getActiveNetworkInfo().isConnected();
}
以编程方式检查代理
Is it possible to programmatically check whether phone is using proxy?
是的。查看对 this Whosebug anser 的回复。
If knew that phone is using proxy I would forbid user using the app by showing some error dialog.
客户端的任何代码 运行 都可以在运行时由攻击者在他通过使用检测框架控制的设备上进行操作,例如
Frida:
Inject your own scripts into black box processes. Hook any function, spy on crypto APIs or trace private application code, no source code needed. Edit, hit save, and instantly see the results. All without compilation steps or program restarts.
可能的解决方案
My app is making some http requests and I don't want others to see the content of those requests.
您遇到了一个艰巨的挑战。让我们看看您的一些选择...
证书固定
存在多种技术来实现证书固定,但自从 Android API 24 以来,它通过网络安全配置文件得到了本机支持。我已经写了文章 Securing HTTPS with Certificate Pinning 来展示它是如何做到的:
In order to demonstrate how to use certificate pinning for protecting the https traffic between your mobile app and your API server, we will use the same Currency Converter Demo mobile app that I used in the previous article.
In this article we will learn what certificate pinning is, when to use it, how to implement it in an Android app, and how it can prevent a MitM attack.
绕过证书固定
存在多种方法,例如使用检测框架或重新打包移动应用程序。
请记住,仅仅因为可以绕过证书固定并不意味着您不应该在您的移动应用程序中使用它,相反,我们强烈建议您这样做。
使用检测框架
不幸的是,Frida 也可以用来绕过证书固定,我写了一篇文章 How to Bypass Certificate Pinning with Frida on an Android App 来告诉你如何做:
Today I will show how to use the Frida instrumentation framework to hook into the mobile app at runtime and instrument the code in order to perform a successful MitM attack even when the mobile app has implemented certificate pinning.
Bypassing certificate pinning is not too hard, just a little laborious, and allows an attacker to understand in detail how a mobile app communicates with its API, and then use that same knowledge to automate attacks or build other services around it.
使用重新打包的移动应用程序
另一种广泛使用的技术是在没有证书固定代码或禁用它的情况下重新打包移动应用程序。我写的文章
Bypassing Certificate Pinning 显示如何删除网络安全配置文件并重新打包移动应用程序:
In this article you will learn how to repackage a mobile app in order to make it trust custom ssl certificates. This will allow us to bypass certificate pinning.
一个可能更好的解决方案
Are there any ways of solving this problem?
所以,您已经看到证书固定是可行的方法,但是一旦它可以被绕过,您就需要一种方法来检测这种绕过,以防止此类攻击。
我建议您阅读 我提出的问题 How to secure an API REST for mobile app?,尤其是部分 加固和屏蔽移动应用程序、保护API服务器和可能更好的解决方案。
您想加倍努力吗?
在任何对安全问题的回答中,我总是喜欢引用 OWASP 基金会的出色工作。
对于移动应用程序
OWASP Mobile Security Project - Top 10 risks
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.
OWASP - Mobile Security Testing Guide:
The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.
我的应用正在发出一些 http 请求,我不希望其他人看到这些请求的内容。目前,我可以使用 Fiddler 轻松检查我的应用程序在做什么。现在,为了跟踪我 phone 上的网络流量,我不得不更改我的 Wi-Fi 设置并使用代理服务器连接到 Internet。即我的电脑。是否可以通过编程方式检查 phone 是否正在使用代理?如果知道 phone 正在使用代理,我会通过显示一些错误对话框来禁止用户使用该应用程序。有什么方法可以解决这个问题吗?我见过应用程序可以在正常的 Wi-Fi 设置下工作,但在使用代理时不能,因此我认为有一个解决方案。顺便说一下,我正在使用改造库来提出请求。
将您的流量转为使用 HTTPS 将帮助保护它免受像 Fiddler 这样的网络窥探。
但是,Fiddler 可以在用户的帮助下解密 HTTPS 流量,这意味着您不能只使用 HTTPS,您还需要实施证书固定,客户端代码验证服务器是否提供了一个特定的证书(不是Fiddler 生成的拦截证书)。
然而,即使这样也不能真正解决问题,因为用户可以简单地越狱他们的设备并禁用您的证书固定代码。
您可能应该退后一步,重新考虑您具体要防范的威胁是什么,然后适当地更新您的问题。
public static boolean isNetworkConnected(final Context context) {
boolean cks = false;
final Activity activity = (Activity) context;
ConnectivityManager connMgr = (ConnectivityManager)
context.getSystemService(Context.CONNECTIVITY_SERVICE);
boolean isvpnConn = false;
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP) {
for (Network network : connMgr.getAllNetworks()) {
NetworkInfo networkInfo = connMgr.getNetworkInfo(network);
if (networkInfo.getType() == ConnectivityManager.TYPE_VPN) {
isvpnConn |= networkInfo.isConnected();
AlertDialog.Builder alert = new
AlertDialog.Builder(getActivity());
alert.setMessage("Sonthing want wrong!! Please
disconnect VPN and try again.")
.setPositiveButton("OK", new DialogInterface.OnClickListener() {
public void onClick(DialogInterface dialog, int which) {
dialog.dismiss();
activity.finish();
activity.finishAffinity();
}
}).setNegativeButton("Cancel", null);
AlertDialog alert1 = alert.create();
alert1.show();
cks = false;
} else {
cks = true;
}
}
}
return connMgr.getActiveNetworkInfo() != null && connMgr.getActiveNetworkInfo().isConnected();
}
以编程方式检查代理
Is it possible to programmatically check whether phone is using proxy?
是的。查看对 this Whosebug anser 的回复。
If knew that phone is using proxy I would forbid user using the app by showing some error dialog.
客户端的任何代码 运行 都可以在运行时由攻击者在他通过使用检测框架控制的设备上进行操作,例如 Frida:
Inject your own scripts into black box processes. Hook any function, spy on crypto APIs or trace private application code, no source code needed. Edit, hit save, and instantly see the results. All without compilation steps or program restarts.
可能的解决方案
My app is making some http requests and I don't want others to see the content of those requests.
您遇到了一个艰巨的挑战。让我们看看您的一些选择...
证书固定
存在多种技术来实现证书固定,但自从 Android API 24 以来,它通过网络安全配置文件得到了本机支持。我已经写了文章 Securing HTTPS with Certificate Pinning 来展示它是如何做到的:
In order to demonstrate how to use certificate pinning for protecting the https traffic between your mobile app and your API server, we will use the same Currency Converter Demo mobile app that I used in the previous article.
In this article we will learn what certificate pinning is, when to use it, how to implement it in an Android app, and how it can prevent a MitM attack.
绕过证书固定
存在多种方法,例如使用检测框架或重新打包移动应用程序。
请记住,仅仅因为可以绕过证书固定并不意味着您不应该在您的移动应用程序中使用它,相反,我们强烈建议您这样做。
使用检测框架
不幸的是,Frida 也可以用来绕过证书固定,我写了一篇文章 How to Bypass Certificate Pinning with Frida on an Android App 来告诉你如何做:
Today I will show how to use the Frida instrumentation framework to hook into the mobile app at runtime and instrument the code in order to perform a successful MitM attack even when the mobile app has implemented certificate pinning.
Bypassing certificate pinning is not too hard, just a little laborious, and allows an attacker to understand in detail how a mobile app communicates with its API, and then use that same knowledge to automate attacks or build other services around it.
使用重新打包的移动应用程序
另一种广泛使用的技术是在没有证书固定代码或禁用它的情况下重新打包移动应用程序。我写的文章 Bypassing Certificate Pinning 显示如何删除网络安全配置文件并重新打包移动应用程序:
In this article you will learn how to repackage a mobile app in order to make it trust custom ssl certificates. This will allow us to bypass certificate pinning.
一个可能更好的解决方案
Are there any ways of solving this problem?
所以,您已经看到证书固定是可行的方法,但是一旦它可以被绕过,您就需要一种方法来检测这种绕过,以防止此类攻击。
我建议您阅读
您想加倍努力吗?
在任何对安全问题的回答中,我总是喜欢引用 OWASP 基金会的出色工作。
对于移动应用程序
OWASP Mobile Security Project - Top 10 risks
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.
OWASP - Mobile Security Testing Guide:
The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.