zoqaposter.blogg.se

To do so, simply search for XCode in the Mac app store. Step 1: Discover your phone’s unique identifier.Before doing anything, you’ll first want to make sure XCode is installed on your Mac. In my setup, I’m using an iPhone 11 Max Pro and iMac Pro 2017 running MacOS Catalina 10.15.2. This article explains how to intercept the traffic egressing an iPhone using a Mac. Therefore, I’ve broken this article up into two approaches, one using Wireshark to inspect unencrypted traffic and another using mitmproxy for the attack I employed against the API server once I had the URIs. While Wireshark can not be used to inspect SSL/TLS encrypted traffic leaving your phone, it is important to use in a penetration test to confirm the mobile app is not sending any sensitive data unencrypted over HTTP. Mitmproxy was used as the SSL person-in-the-middle (PITM) tool to decrypt the SSL traffic. Wireshark is shown here in this article to provide evidence of the captured network traffic after successfully setting up my iMac to capture my iPhone’s traffic. Once I had all of the numerous strings passed between my mobile phone and the bank’s API server snagged in mitmproxy, I was able to then load the POST requests complete with the expected HTTP header fields into Postman, an API client capable of sending requests to an API server allowing the user to inspect the response for further analysis or debugging. Thus began my adventures into finding a more creative way of finding the correct API calls manually by intercepting the traffic between the bank’s app running on my iPhone and the bank’s API server. A HTTP POST is a type of HTTP request that instructs the receiving web server to accept and store the contents found in the body of the HTTP request, often times a file upload or user input to the fields of a web form. While I was able to successfully reverse engineer the Android app using MobSF, I wasn’t so successful in finding the numerous POST and GET requests the mobile app uses when communicating with the bank. In a recent penetration test of a large bank, I was able to transfer money to any account and change any customer’s ATM debit card PIN with no authentication through the bank’s API servers the mobile application communicates with.