{"id":1231,"date":"2013-08-09T15:35:01","date_gmt":"2013-08-09T13:35:01","guid":{"rendered":"http:\/\/securite.intrinsec.com\/?p=1231"},"modified":"2013-08-09T15:35:01","modified_gmt":"2013-08-09T13:35:01","slug":"tester-simplement-la-confidentialite-des-flux-dune-application-mobile","status":"publish","type":"post","link":"https:\/\/www.intrinsec.com\/en\/tester-simplement-la-confidentialite-des-flux-dune-application-mobile\/","title":{"rendered":"Simply test the privacy of a mobile application&#039;s data streams"},"content":{"rendered":"<p>During audits conducted by Intrinsec on mobile applications, we found that numerous flaws could compromise the confidentiality of HTTP exchanges despite the use of SSL-encrypted streams (see\u00a0<a title=\"REX ARJEL OSSIR\" href=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2013\/06\/REX_-_Homologation_ARJEL_-_Ossir_Paris_-_20130610.pdf\" target=\"_blank\">here<\/a>).<\/p>\n<p>Smartphones and tablets may need to communicate through public WiFi networks where traffic interception is easy, the risk of information leakage, whether voluntary or not, is very real (see. <a href=\"http:\/\/www.pcworld.com\/article\/2043095\/heres-what-an-eavesdropper-sees-when-you-use-an-unsecured-wi-fi-hotspot.html\" target=\"_blank\">here<\/a>)<\/p>\n<p>Certificate validation failures are sometimes due to development errors, oversights during test case creation, or the use of external libraries. In all cases, it&#039;s not always easy to verify, during code analysis, that the confidentiality of HTTP traffic from a mobile application is guaranteed.<\/p>\n<p>Therefore, through this article, we wish to address mobile application developers and explain how, by carrying out a simple test, it is possible to validate that an Android or iOS application ensures this level of confidentiality.<\/p>\n<p>Several tools are needed for this:<\/p>\n<ul>\n<li>\u00a0The Android and\/or iOS SDK, or more precisely the associated emulator (as a developer you must use it).<\/li>\n<li>A web interception proxy performing an SSL cut, such as Burp Proxy (<a title=\"Portswigger Burp Proxy\" href=\"http:\/\/portswigger.net\/burp\/download.html\" target=\"_blank\">http:\/\/portswigger.net\/burp\/download.html<\/a>) or OWASP Zap (<a title=\"Owasp Zap\" href=\"https:\/\/www.owasp.org\/index.php\/OWASP_Zed_Attack_Proxy_Project\" target=\"_blank\">https:\/\/www.owasp.org\/index.php\/OWASP_Zed_Attack_Proxy_Project<\/a>).<\/li>\n<\/ul>\n<p>We will subsequently use Burp Proxy.<\/p>\n<p><strong>Step 1: Configuring the Burp interception proxy<\/strong><\/p>\n<p>This proxy will allow us to intercept HTTPS traffic to validate the application&#039;s behavior in case of an attack.<\/p>\n<p>By default, Burp will open a socket on port 8080 of the machine&#039;s loopback port. If this port is already in use, you will need to use another one by configuring the application as follows:<\/p>\n<p><img fetchpriority=\"high\" decoding=\"async\" class=\"aligncenter size-full wp-image-1247\" alt=\"Image_article_proxy1\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2013\/08\/Image_article_proxy1.png\" width=\"828\" height=\"321\" \/><\/p>\n<p>When used within a corporate network, it may be necessary to proxy the output of the intercepting proxy; this can be done as described below:<\/p>\n<p><img decoding=\"async\" class=\"aligncenter size-full wp-image-1248\" alt=\"Image_article_proxy2.png\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2013\/08\/Image_article_proxy2.png.png\" width=\"824\" height=\"505\" \/><\/p>\n<p>The final step is to disable HTTP request interception, as the goal here is not to modify the requests made by the application on the fly:<\/p>\n<p><img decoding=\"async\" class=\"aligncenter size-full wp-image-1249\" alt=\"Image_article_proxy3.png\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2013\/08\/Image_article_proxy3.png.png\" width=\"609\" height=\"229\" \/><\/p>\n<p>At the end of this step we therefore obtain a proxy blocking SSL flows and listening on port 8080 (or another if you have modified it) of the loopback.<\/p>\n<p><strong>Step 2: \u00abProxyfication\u00bb of the emulators.<\/strong><\/p>\n<p>The goal is to route the emulators&#039; traffic through the Burp interception proxy to study how the application behaves in the event of an SSL outage. This requires configuring the emulators to redirect their traffic through this proxy.<\/p>\n<p>Proxying the Android emulator is easy because the `emulator` command, which launches an emulator, has a `-http-proxy` option. Simply use this option with `localhost:8080` as a parameter. It&#039;s also possible to add this option directly to the Eclipse debug or runtime configuration.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-1250\" alt=\"Image_article_proxy4.png\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2013\/08\/Image_article_proxy4.png.png\" width=\"755\" height=\"628\" \/><\/p>\n<p>The iOS emulator, on the other hand, does not have an option to proxy it directly; therefore, it is necessary to configure the proxy at the macOS system level:<\/p>\n<p><a href=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2013\/08\/Image_article_proxy5.png.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-1251\" alt=\"Image_article_proxy5.png\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2013\/08\/Image_article_proxy5.png.png\" width=\"668\" height=\"561\" \/><\/a> <a href=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2013\/08\/Image_article_proxy6.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-1252\" alt=\"Image_article_proxy6\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2013\/08\/Image_article_proxy6.png\" width=\"668\" height=\"580\" \/><\/a> <img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-1253\" alt=\"Image_article_proxy7\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2013\/08\/Image_article_proxy7.png\" width=\"651\" height=\"506\" \/><\/p>\n<p><strong>Step 3: Analysis of application behavior<\/strong><\/p>\n<p>The behavior of the application once proxyed allows us to verify whether it is still possible to use it normally in the event of an interruption of the encryption stream.<\/p>\n<p>Analyzing queries in Burp helps identify several potential flaws:<\/p>\n<ul>\n<li>The presence of unencrypted HTTP requests could allow the interception of sensitive information (authentication credentials, cookies, business data, etc.).<\/li>\n<li>The presence of encrypted requests intercepted without the application ceasing to function or raising an alert to the user.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-1254\" alt=\"Image_article_proxy8\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2013\/08\/Image_article_proxy8.png\" width=\"948\" height=\"680\" \/><\/p>\n<p>We recommend performing this simple test to validate the functionality of an external library or before deploying a new application to production. If defects are identified, a code review should be conducted to identify and correct them.<\/p>","protected":false},"excerpt":{"rendered":"<p>As part of the audits conducted by Intrinsec on mobile applications, we observed [\u2026]<\/p>","protected":false},"author":13,"featured_media":1265,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7,19],"tags":[67,77,102,68,69],"class_list":["post-1231","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-conseil-ssi","category-soc-securite-operationnelle","tag-android","tag-http","tag-ios","tag-outils","tag-ssl"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.0 (Yoast SEO v27.4) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Tester simplement la confidentialit\u00e9 des flux d&#039;une application mobile - INTRINSEC<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.intrinsec.com\/en\/tester-simplement-la-confidentialite-des-flux-dune-application-mobile\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Tester simplement la confidentialit\u00e9 des flux d&#039;une application mobile\" \/>\n<meta property=\"og:description\" content=\"Dans le cadre des audits r\u00e9alis\u00e9s par Intrinsec sur des applications mobiles, nous avons constat\u00e9 [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.intrinsec.com\/en\/tester-simplement-la-confidentialite-des-flux-dune-application-mobile\/\" \/>\n<meta property=\"og:site_name\" content=\"INTRINSEC\" \/>\n<meta property=\"article:published_time\" content=\"2013-08-09T13:35:01+00:00\" \/>\n<meta name=\"author\" content=\"Admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/tester-simplement-la-confidentialite-des-flux-dune-application-mobile\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/tester-simplement-la-confidentialite-des-flux-dune-application-mobile\\\/\"},\"author\":{\"name\":\"Admin\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/5636e3e5276b952facbd0aadb12a858a\"},\"headline\":\"Tester simplement la confidentialit\u00e9 des flux d&#039;une application mobile\",\"datePublished\":\"2013-08-09T13:35:01+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/tester-simplement-la-confidentialite-des-flux-dune-application-mobile\\\/\"},\"wordCount\":732,\"commentCount\":0,\"image\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/tester-simplement-la-confidentialite-des-flux-dune-application-mobile\\\/#primaryimage\"},\"thumbnailUrl\":\"\",\"keywords\":[\"Android\",\"HTTP\",\"ios\",\"Outils\",\"SSL\"],\"articleSection\":[\"Conseil SSI\",\"SOC S\u00e9curit\u00e9 Op\u00e9rationnelle\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.intrinsec.com\\\/tester-simplement-la-confidentialite-des-flux-dune-application-mobile\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/tester-simplement-la-confidentialite-des-flux-dune-application-mobile\\\/\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/tester-simplement-la-confidentialite-des-flux-dune-application-mobile\\\/\",\"name\":\"Tester simplement la confidentialit\u00e9 des flux d&#039;une application mobile - INTRINSEC\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/tester-simplement-la-confidentialite-des-flux-dune-application-mobile\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/tester-simplement-la-confidentialite-des-flux-dune-application-mobile\\\/#primaryimage\"},\"thumbnailUrl\":\"\",\"datePublished\":\"2013-08-09T13:35:01+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/5636e3e5276b952facbd0aadb12a858a\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/tester-simplement-la-confidentialite-des-flux-dune-application-mobile\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.intrinsec.com\\\/tester-simplement-la-confidentialite-des-flux-dune-application-mobile\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/tester-simplement-la-confidentialite-des-flux-dune-application-mobile\\\/#primaryimage\",\"url\":\"\",\"contentUrl\":\"\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/tester-simplement-la-confidentialite-des-flux-dune-application-mobile\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\\\/\\\/www.intrinsec.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Tester simplement la confidentialit\u00e9 des flux d&#039;une application mobile\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/\",\"name\":\"INTRINSEC\",\"description\":\"Notre m\u00e9tier , Prot\u00e9ger le v\u00f4tre\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.intrinsec.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/5636e3e5276b952facbd0aadb12a858a\",\"name\":\"Admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/?s=96&d=retro&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/?s=96&d=retro&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/?s=96&d=retro&r=g\",\"caption\":\"Admin\"},\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/author\\\/admin\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Easily test the privacy of a mobile app&#039;s data streams - INTRINSEC","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.intrinsec.com\/en\/tester-simplement-la-confidentialite-des-flux-dune-application-mobile\/","og_locale":"en_US","og_type":"article","og_title":"Tester simplement la confidentialit\u00e9 des flux d&#039;une application mobile","og_description":"Dans le cadre des audits r\u00e9alis\u00e9s par Intrinsec sur des applications mobiles, nous avons constat\u00e9 [&hellip;]","og_url":"https:\/\/www.intrinsec.com\/en\/tester-simplement-la-confidentialite-des-flux-dune-application-mobile\/","og_site_name":"INTRINSEC","article_published_time":"2013-08-09T13:35:01+00:00","author":"Admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Admin","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.intrinsec.com\/tester-simplement-la-confidentialite-des-flux-dune-application-mobile\/#article","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/tester-simplement-la-confidentialite-des-flux-dune-application-mobile\/"},"author":{"name":"Admin","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/5636e3e5276b952facbd0aadb12a858a"},"headline":"Tester simplement la confidentialit\u00e9 des flux d&#039;une application mobile","datePublished":"2013-08-09T13:35:01+00:00","mainEntityOfPage":{"@id":"https:\/\/www.intrinsec.com\/tester-simplement-la-confidentialite-des-flux-dune-application-mobile\/"},"wordCount":732,"commentCount":0,"image":{"@id":"https:\/\/www.intrinsec.com\/tester-simplement-la-confidentialite-des-flux-dune-application-mobile\/#primaryimage"},"thumbnailUrl":"","keywords":["Android","HTTP","ios","Outils","SSL"],"articleSection":["Conseil SSI","SOC S\u00e9curit\u00e9 Op\u00e9rationnelle"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.intrinsec.com\/tester-simplement-la-confidentialite-des-flux-dune-application-mobile\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.intrinsec.com\/tester-simplement-la-confidentialite-des-flux-dune-application-mobile\/","url":"https:\/\/www.intrinsec.com\/tester-simplement-la-confidentialite-des-flux-dune-application-mobile\/","name":"Easily test the privacy of a mobile app&#039;s data streams - INTRINSEC","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.intrinsec.com\/tester-simplement-la-confidentialite-des-flux-dune-application-mobile\/#primaryimage"},"image":{"@id":"https:\/\/www.intrinsec.com\/tester-simplement-la-confidentialite-des-flux-dune-application-mobile\/#primaryimage"},"thumbnailUrl":"","datePublished":"2013-08-09T13:35:01+00:00","author":{"@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/5636e3e5276b952facbd0aadb12a858a"},"breadcrumb":{"@id":"https:\/\/www.intrinsec.com\/tester-simplement-la-confidentialite-des-flux-dune-application-mobile\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.intrinsec.com\/tester-simplement-la-confidentialite-des-flux-dune-application-mobile\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.intrinsec.com\/tester-simplement-la-confidentialite-des-flux-dune-application-mobile\/#primaryimage","url":"","contentUrl":""},{"@type":"BreadcrumbList","@id":"https:\/\/www.intrinsec.com\/tester-simplement-la-confidentialite-des-flux-dune-application-mobile\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.intrinsec.com\/"},{"@type":"ListItem","position":2,"name":"Tester simplement la confidentialit\u00e9 des flux d&#039;une application mobile"}]},{"@type":"WebSite","@id":"https:\/\/www.intrinsec.com\/#website","url":"https:\/\/www.intrinsec.com\/","name":"INTRINSEC","description":"Our job is to protect yours.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.intrinsec.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/5636e3e5276b952facbd0aadb12a858a","name":"Admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/?s=96&d=retro&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/?s=96&d=retro&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/?s=96&d=retro&r=g","caption":"Admin"},"url":"https:\/\/www.intrinsec.com\/en\/author\/admin\/"}]}},"_links":{"self":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/1231","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/comments?post=1231"}],"version-history":[{"count":0,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/1231\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/media?parent=1231"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/categories?post=1231"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/tags?post=1231"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}