Reverse engineer an iOS App with Wireshark

I read a lot of news from the 20 min online website using the 20 min online .ch app for iOS. Every now and then,  people start commenting the articles (and leave behind a lot of silly comments). My goal was to get the URL where this data (the comments) is loaded from (for some unexplainable reasons :-)). As the website offers the articles as RSS feeds, the assumption was that the app will load the comments also via RSS feed.

So how to eavesdrop the network traffic between the iPhone and the Internet? The iPhone has four communication interfaces: GSM, WLAN, Bluetooth and USB (neglecting all non-networking interfaces like display, speaker, etc.). Now there must be way to eavesdrop on one of those. The WLAN was the obvious choice. Either your local router supports very detailed logging or you need to set up your computer as router and inspect the packets transferred with wireshark. So here I write about how to setup your computer as router.

1. start the linux os of your choice
In a recent version of Ubuntu, you have the ability to create a wireless network managed by your computer out of the box.

2. create a new (infrastructure mode) WLAN

3. name it however you want, for simplicity security is omited

4. get your iPhone/iPad and put it into airplane mode
Then inside the the Wi-Fi menu, switch on Wi-Fi and select the newly created WLAN (yes, we are still in airplane-mode). This forces the iPhone to route all packets through our WLAN network / we assure no data is sent using GSM.

5. start wireshark as admin (in a console run: sudo wireshark &)
Click on Capture ->; Interfaces and chose the WLAN device that communicates with the iPhone (most likely wlan0). Now, you capture all network traffic between the iPhone and the Internet.

6. start the app on the iPhone/iPad that you want to inspect
In this example, I analyzed the Facebook app for iOS. The question is, where the image data is fetched from.

As a HTTP request will do a at least an SYN, SYN-ACK, ACK for connection establishment (and further stuff) you best set the filter in Wireshark to “HTTP”. Then you only see the actual GET requests from the client and the responses from the server.

Only display the HTTP relevant packets

Right click a packet and chose “Follow TCP stream”:

Tracing one TPC conversation

Et voilà, we now know where the app is loading its data from:

Host: photos-f.ak.fbcdn.net (where fbcdn is most likely standing for Face Book Content Delivery Network)

GET parameter: /hphotos-ak-snc7/426768_3448505663995_658953026_t.jpg

Combining it, we end up with the following URL:

http://photos-f.ak.fbcdn.net/hphotos-ak-snc7/426768_3448505663995_658953026_t.jpg

In case SSL is used, you wont see any packets when filtering for HTTP. This means you cannot inspect any packet when the app uses SSL (meaning https instead of http), which is the very purpose of this encryption protocol.

My first open source project

I recently released my old, long-term project called survey-rocket (a simple online survey tool) to google code. I started to refactor the code to make it more readable and maintainable. Although I invested many hours, there is still a long way to go until it can be considered good code. Basically I used this project for applying all the best practices found in Clean Code.

Check out the software here

The latest features added to the software are

  • added email support for sending URLs
  • added workspace reset
  • after clicking “save” once, everything is autosaved

old blog post:
I am proud to announce my new webservice suRRvey.com (service moved!). It is a tool for easy survey creation. It is free and requires no sign up. It is heavily XML and XSL based and only uses AJAX for communicating with the server. It is fully implemented in Java. I am aware of some of the bugs which are still unresolved. Laeve me some feedback if you have some suggestions or you found bugs!!! Happy survey-creation!

Speed up your website served by apache httpd in 2 mins

Slow website? Have you tried turning on file compression? If not, this tweak can speed up your website in an instant.

The apache documentation of the mod_deflate is one way to go. Add the following piece of configuration (that I have just copy-pasted from the apache docs website) to your virtual host config (it requires the mod_headers and mod_deflate being activated):


<Location />
# (1) Insert filter
SetOutputFilter DEFLATE

# (2) Netscape 4.x has some problems…
BrowserMatch ^Mozilla/4 gzip-only-text/html

# (3) Netscape 4.06-4.08 have some more problems
BrowserMatch ^Mozilla/4.0[678] no-gzip

# (4) MSIE masquerades as Netscape, but it is fine
# BrowserMatch bMSIE !no-gzip !gzip-only-text/html

# (5) NOTE: Due to a bug in mod_setenvif up to Apache 2.0.48
# the above regex won’t work. You can use the following
# workaround to get the desired effect:
BrowserMatch bMSI[E] !no-gzip !gzip-only-text/html

# (6) Don’t compress images
SetEnvIfNoCase Request_URI
.(?:gif|jpe?g|png)$ no-gzip dont-vary

# (7) Make sure proxies don’t deliver the wrong content
Header append Vary User-Agent env=!dont-vary
</Location>

What is it doing? The first line is the most important one. It activates the compression of the data before it is returned by the webserver. Then 2-5 are pretty much neglectable, as they deal with legacy Netscpae browsers and apache bugs. Number 6 is important, as you do not want to recompress already compressed data. The last configuration (7) requires the mod_headers module and deals with proxy caching.

captcha protect your website using Apache’s mod_rewrite to expel Google, Facebook and Co.

Problem:

Yor website has three sources of traffic:

  • SOMEONE: people browsing the web you don’t know
  • FRIENDS: your friends
  • MACHINES: search engines, facebook (when a link is posted, the content of the link is fetched by Facebook), etc.

You want that your FRIENDS have full access to your website, whereas MACHINES should not. The SOMEONEs you don’t particularly care and therefore allowing access as well.

Requirement:

For any defined part of your website you’re asked to enter a Captcha in order to prevent MACHINES to access this data. Your FRIENDS clicking on a hyperlink in facebook should not be asked to enter a captcha to avoid annoyances. SOMEONE else has to enter the Captcha to distinguish them to MACHINES.

Solution:

Prerequisites:
  • the captchas are created using re-captcha
  • apache webserver with mod_rewrite

Locate the config file (e.g. /etc/apache2/sites-available/somedomain.com) and add the following part to your virtual host:

Now the following happens during every request:

When the request uri contains somePrivateStuff or noMachinesShouldSeeThat (the folders you do not want to be accessible by google, fb, etc.), there is no cookie named noauth (actually the string of the key-value pairs of cookies do not match “noauth”), and the request is not pointing to yourwebsite.com/howdy, the request is forwarded to yourwebsite.com/howdy?target=/somePrivateStuff, i.e. presenting a captcha challenge to keep out MACHINES.

Take a look at the /howdy/index.php. Depending whether we have already set the “noauth=IF-ONLY-MACHINES-KNEW-THIS” cookie (note that the cookie is called noauth to stress the point that it is actually no real authentication and provides no real security!), the answered captcha challenge and the referrer of the request, the cookie might be set and the user might be forwarded to the requested ressource.

Now, your website is at least safe from machines as they cannot pass the captcha entry, without annoying your friends as they will not notice this simple way of protecting your website. Copy-paste a hyperlink pointing to a protected directory on Facebook. Facebook will connect to that link to create a preview of the content. You will notice, that the Facebook server will be forwarded to /howdy ! So even though you share information, your data remains in your possession.

 Test:

Assume that http://manuelbaumann.com/gallery is one a directory I don’t want to be accessible by non-humans:

Googling the protected page yields the expected result. The crawler was presented the captcha. Yet, clicking on the link is forwarding you to the correct resource.

Pasting a link to my website on Facebook has the same effect, yet every friend following the link will be presented the information immediately.

 

Important notes:

  1. Note that this is security trough obscurity
  2. I just figured out that recaptcha can be found at http://www.google.com/recaptcha. Google could actually bypass a captcha easily, as they obviously “know” all the captcha challenges.
  3. There is no evidence, that this kind of information-protection works in all kind of conditions. See Disclaimer.