MASTG-TECH-0119: Intercepting HTTP Traffic by Hooking Network APIs at the Application Layer

Depending on your goal while testing the app, sometimes it is enough to monitor the traffic before it reaches the network layer or when the responses are received in the app.

This means that you don't need to deploy a fully fledged MITM attack (including ARP Spoofing attacks, etc.) if you simply want to determine if certain sensitive data is being transmitted to the network. With this approach, you will not interfere with any TLS verification or pinning.

You can use Frida as an alternative

This technique is also useful for:

  • Intercepting traffic in apps that use custom network stacks.
  • Intercepting traffic in apps built with specific cross-platform frameworks such as Flutter.
  • Intercepting other types of traffic such as BLE, NFC, etc., where deploying a MITM attack might be very costly and complex.
  • Analyzing protocols like MQTT and CoAP, which may require more specialized interception techniques.
  • Monitoring WebSocket traffic, which can also necessitate unique interception strategies.

You just have to hook the right functions, e.g., SSL_write and SSL_read from OpenSSL.

This would work pretty well for apps using standard API library functions and classes; however, there might be some downsides:

  • The app might implement a custom network stack and you'll have to spend time analyzing the app to find out the APIs that you can use. See section "Searching for OpenSSL traces with signature analysis" in this blog post.
  • It might be very time consuming to craft the right hooking scripts to re-assemble HTTP response pairs (across many method calls and execution threads). You might find ready-made scripts and even for alternative network stacks, but depending on the app and the platform, these scripts might need a lot of maintenance and might not always work.

See some examples: