Apple ISO APP to crawl HTTPS packets

As mentioned above, traffic hijacking is not the focus of this articleHow does traffic hijacking occur?In this example, Charles is directly used as a proxy to hijack traffic. and useSSL proxyLet's simulate a man-in-the-middle attack on an iPhone device's HTTPS request, so that everyone can think about and understand the man-in-the-middle attack method and understand how to prevent similar attacks in development.

1) Charles sets up the agent

Enable and set HTTP proxy and SSL proxy in Charles, Menu -> Proxy -> Proxy Setting, as shown in the figure:

HTTP proxy settings, please remember that the port number is: 8888

SSL proxy settings, you can set the domain name you want to do SSL proxy on locatio{filtering}ns, here Baidu's Baifubao*.baifubao.com is used as the simulation object.

2) Set up an HTTP proxy on the iPhone side

Get the IP address of the current machine on Mac:

ifconfig en0:

There is also an easy way to do this, hold down option+tap the WiFi network icon in the top menu bar:

You can see that the IP address of the current computer is: 192.168.199.249.

Connect your iPhone to the same WiFi as your computer, in the iPhone settings: Wi-Fi -> Info details icon to the right of the connected WiFi -> HTTP proxy -> Manual -> Set up an HTTP proxy:

After the setup is completed, open Safari and visit a web page, and when you set up the proxy for the first time, Charles will pop up a confirmation box for iPhone request proxy, click Allow. Then you can see the HTTP request on the iPhone on Charles. In order to avoid too many requests on the Mac from affecting the viewing and debugging of HTTP requests on the proxied iPhone, you can uncheck the Mac OS X Proxy in Charles' Menu -> Proxy ->.

Suppose you are visiting the destination URL that is being delegatedhttp://www.baifubao.comThen you can't open the web page. Because the iPhone's HTTPS request has been intercepted by Charles, but the iPhone cannot trust Charles' certificate, the SSL Handshake fails and the HTTPS connection cannot be established.

3) Forged certificate spoofing

Open Safari on the iPhone being proxied and accesshttp://www.charlesproxy.com/getsslwill pop up the interface for installing the descriptor file, which contains the Charles root certificate:

Note: This Charles certificate is built into Charles, and you can save and install the certificate directly in the menu Help -> SSL Proxying. The installed profile can be viewed and managed in the iPhone device's Settings -> Universal-> profile.

Once the installation is complete, the Charles root certificate will be added to the list of trusted certificates in the system, and the sub-certificates issued using this certificate will also be trusted by the system. Charles will generate an SSL certificate for the domain name configured in the previous SSL proxy settings, so that the forged certificate will be spoofed. You can use the Mac SSL proxy to check the following:

4) Validation of results

Download the Baidu App, then log in to your account, and in My -> My Wallet, you will access Baifubao:

See that the content of the HTTPS request package has been successfully obtained. From here, we can guess that the app uses the default verification method of the system: the system trusts the SSL certificate returned by the man-in-the-middle server, and the app trusts this verification, and the SSL handshake is successful; There is no local cross-checking of the server certificate. This is a security hazard that exists in many apps today.