Analysis of the interaction of mobile Android applications with the APIs of social networks Facebook, Instagram, VK

    It is no secret that most of the major services on the server side use some kind of API ( Application Programming Interface ) to interact with various clients.

    At the NeoQUEST-2016 “confrontation”, Maxim Khazov spoke about various approaches to identifying and using a hidden server API-function on the example of such popular services as VKontakte, Instagram, Facebook.

    In this article, we dwell on the main points of the report and share all electronic materials: a video recording of the speech, a presentation, as well as demonstrations of attacks for each social network in question (everything is under the cut).

    Let’s hint: “walks” on social networks are still ahead of NeoQUEST-2017 participants ,registration for the online phase of which is in full swing!

    How did it sound on NeoQUEST?


    Immediately, as promised, we share the presentation ( tyk ) and the report:



    Why define an API?





    The main goals in this case are two:

    1. Search for vulnerabilities (on the server side or in the interaction protocol).
    2. Automate actions on social networks (everyone’s favorite “bots”).

    Such bots can be called “chameleons,” since they will mimic the official mobile application of the service, performing the same requests with the same structure. On the server side, it will not be easy to distinguish such a bot from a real user of a mobile application.

    How to learn API?


    There are 3 main areas:

    • Study of the documentation (well, if it is!);
    • Network traffic analysis (the easiest way, then selected as the main one);
    • Reverse engineering of a mobile application (the most “hardcore” way, but sometimes you can’t do without it).

    Examples and Demos




    For demonstrations, a Wi-Fi-controlled point was used, as well as proxies for Burp Suite HTTP requests . In this case, all the tested applications interacted with the API using the HTTP protocol and its modifications.

    IMPORTANT!


    The study was conducted in the spring-summer of 2016, at the moment, there may be changes in the architecture of applications and interaction protocols (for example, from November 2016 the VKontakte application for Android no longer supports the HTTP protocol).

    VKontakte and unprotected HTTP protocol


    The VKontakte mobile application for Android by default uses the HTTP protocol, which means (as was shown in the first part of the report, the video of which is at the end of the article):

    1. The application is vulnerable to attacks such as Man in the Middle (MITM). However, the API provides some protection measures against modification and repetition of requests.
    2. It is not difficult to analyze the API used by the application (although there is already open documentation for it).

    The demo shows the interception of unencrypted traffic and the location in it of a request to the API responsible for sending the message.



    Instagram and https


    In the second part of the report, the Instagram application for Android was considered, for interaction with the API it uses the secure protocol HTTPS (HTTP + SSL). This means that in the general case (in the absence of access to the device by the researcher and a fairly modern version of TLS), the interaction protocol is not vulnerable to MITM attacks.

    But, having access to the phone, you can install your root certificate on it and easily decrypt the traffic, replacing certificates for HTTPS connections (BurpSuite can do this automatically). The demonstration shows the interception of encrypted traffic after installing a controlled root certificate on the phone and finding the API request in it, which is responsible for the like to the photo.



    Instagram has a public, documented API for developers. It sets rather strict limits for key functions (likes, subscriptions, posting, etc.). As it turned out, the Instagram application uses a different, private API, in which, of course, there are no such limits.

    What is interesting about this private API in terms of botting? The main difference between the private API is that all important requests are signed with a secret key (unique to the application version). Since the key is stored inside the application, you can get it using the reverse engineering of the application.

    Facebook and SSL Pinning


    In the third part of the report, the Facebook application for Android was considered. This application uses the secure HTTPS protocol + add-in called SSL Pinning to interact with the API .

    SSL Pinning - implementation of API server SSL-certificate in the code of a mobile application. This technology is designed to protect against traffic interception by installing a root certificate on the device and spoofing certificates.

    However, SSL Pinning can be disabled (and even in various ways):

    1. Using decompilation and modification of the application (a difficult way).
    2. By modifying low-level SSL functions on the device (requires root access, it does not always work stably). Android SSL Bypass, iOS SSL KillSwitch programs work on this principle.

    The report demonstrated a way to disable SSL Pinning in the Facebook mobile application for Android (by removing one of the libraries used by the application - libsslx.so) and the subsequent successful interception of traffic.

    As it turned out when analyzing traffic, the Facebook mobile application uses some undocumented API methods (including for registering accounts and logging in).

    An undocumented API method was also found that allows you to get the Facebook user ID by phone number. Here is a demonstration of a possible automated use of the resulting undocumented methods:



    Finally


    If desired, you can always analyze the interaction protocol between the mobile application and the server. Using additional security features (such as SSL Pinning) can only make the researcher more difficult. Therefore, developers should avoid using privileged, undocumented API methods in the application (especially if there is a public and documented API).

    In addition, it is possible to make a bot that will send exactly the same requests as the official mobile application. To combat such bots, it is recommended to complicate the structure of API requests and carefully analyze all the request parameters on the server side.

    At the “confrontation” NeoQUEST-2017 , which will be held June 29 in St. Petersburgas always, there will be classy reports on the most current cybersecurity trends, modern protection mechanisms and ways to circumvent them.

    If you are not from St. Petersburg, feel free to plan your vacation in June and come! White nights, movable bridges, endless rains and NeoQUEST-2017 space-themed reports, demonstrations, contests and prizes - all this awaits you. You can also visit the “confrontation” as a hackquest participant and compete for the main prize - a trip to one of the international conferences on information security! To do this, register here and go through the tasks of the online stage from March 1 to 10 . Perhaps you will turn out to be the best? We learn on March 10 ...

    Also popular now: