I've got quite a bit of experience using Charles to sniff out traffic being sent out on my iPhones. Almost every app that I choose to reverse engineer has been possible in large part to cURL and Charles. But, for some reason, this one app called Link seems to have a different way of communication with their server. I looked through my entire Chalres session and didn't see any relevant traffic from this app to an API endpoint. I don't have much experience actually making mobile apps, so perhaps there are other ways to process all of the requests that have to be generated upon using the app. But, how could all of the user's data be stored if no requests are being sent from the app to an external server somewhere?
Asked
Active
Viewed 309 times
0
Lance
- 4,736
- 16
- 53
- 90
3 Answers
1
Charles is an HTTP proxy, it is possible another protocol is being used. Possibly directly using TCP/IP connections.
Wireshark will show all packets in gory detail but you will probably not be able to see encrypted data decrypted without the key.
And the Wireshark UI is something to behold. ;-)
zaph
- 111,848
- 21
- 189
- 228
-
If they're using a different protocol, then could it successfully be copied with `cURL`? – Lance Sep 25 '14 at 09:20
-
Sorry, I only use curl with http for testing and know little about it. The docs state these protocols: "DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP" which are all high level, at least above TCP/IP. Wireshark is free other than the cost of getting to know it, at least you will be able to see the actual packets being sent, probably more than you would expect. – zaph Sep 25 '14 at 09:27
0
If the app runs on SSL you wouldn't be able to sniff any traffic either way. I design my apps that way at least. Could this be the case? Does it use port 443 instead of port 80?
nickdnk
- 4,010
- 4
- 24
- 43
-
1I installed Charle's SSL certificate to bypass that whole issue. I can see SSL traffic being sent from my phone for lots of other apps. – Lance Sep 25 '14 at 08:40
-
If you filter all outgoing traffic for the IP of your phone, surely there must be something somewhere. – nickdnk Sep 25 '14 at 08:47
-
1If an app is check the certificates then if can detect the charles certificate and cancel the request. Most banking apps do this, if they don't you should probably not have an account at this bank ;) – rckoenes Sep 25 '14 at 08:47
-
2Yeah, but if it cancels the request then I wouldn't be able to use it, right? I can still use this app normally even while all traffic is being sent through Charles on my MacBook – Lance Sep 25 '14 at 08:51
-
How do you configure your certificates exactly? I am not able to detect traffic in some of the app after login page. What is possible config which can detect the sniffer? also how you set the proxies with charles? – Talk is Cheap Show me Code Jun 21 '19 at 05:25
0
Okay. Have a look at this post: http://www.doubleencore.com/2013/03/ssl-pinning-for-increased-app-security/
SSL pinning might be the answer.
nickdnk
- 4,010
- 4
- 24
- 43
-
1
-
-
As Zaph says this could indicate that it isn't using HTTP. If you just capture all traffic from your iPhone, what destination ports do you get? – nickdnk Sep 25 '14 at 09:19