Flutter is Google's new open source mobile development framework that allows developers to write a single code base and build for Android, iOS, web and desktop. Flutter applications are written in Dart, a language created by Google more than 7 years ago. It's often necessary to intercept traffic between a mobile application and the backend … Continue reading Intercepting traffic from Android Flutter applications
A few weekends ago we participated in the Google CTF. While we didn't make it to the top 10, we did manage to solve quite a few challenges. This is my writeup of FlaggyBird, the only mobile challenge that was available. The challenge The challenge was an .apk that did not require network connectivity. Installing … Continue reading Solving Flaggy Bird (Google CTF 2019)
TL;DR - There are many Android SSL pinning bypass scripts available for Frida. However, those don't always work on obfuscated applications. If the application uses OkHttp, there's an easy way to find a convenient place to bypass the pinning by grepping for the right SMALI string. The target For this blogpost, I've created a little … Continue reading Circumventing SSL Pinning in obfuscated apps with OkHttp
TL;DR: You can configure Burp to use your PKCS#11 (or Belgian eID) card to set up client-authenticated SSL sessions, which you can then intercept and modify. This blog post shows how you can easily view and modify your own, local traffic. In order to complete this tutorial, you still need a valid eID card, and the … Continue reading Intercepting Belgian eID (PKCS#11) traffic with Burp Suite on OS X / Kali / Windows
TL;DR: Follow these steps to intercept traffic using Burp with a self made root CA on Android (or any browser) The problem In a previous blogpost, we presented a Magisk module that easily integrates user certificates into the system CA store in order to bypass Android N's new hardened security model. For instrumenting applications, this … Continue reading Using a custom root CA with Burp for inspecting Android N traffic
Intercepting HTTPS traffic is a necessity with any mobile security assessment. By adding a custom CA to Android, this can easily be done. As of Android Nougat, however, apps don't trust client certificates anymore unless the app explicitly enables this. In this blogpost, we present a new Magisk module, that circumvents this requirement, by automatically adding … Continue reading Intercepting HTTPS Traffic from Apps on Android 7+ using Magisk & Burp
Staying up to date with the latest hot topics in Security is a requirement for any Security Consultant. Going to conferences is a great way of doing this, as it also gives you the opportunity to speak to peers and get a good view into what the security industry and the researchers are up to. … Continue reading NVISO at DEF CON 25
