Check app security with mitmproxy --mode wireguard

by FelixBauer 1 year ago

GNU/Linux ◆ foot-extra ◆ zsh 249 views

To check if a smartphone (your own or with explicit permission) and its apps correctly validate certificates and or read the unencrypted communication if it doesn’t mitmproxydoes a great job.

In this very short video I demonstrate how mitmproxy allows to easily become man in the middle using its wireguard mode. Just start mitmproxy --mode wireguard. A browser window will open, scan the QR Code with the wireguard app on your phone and open the connection. All data will be relayed through your PC and mitmproxy will do its thing.

Depending on how good the apps on your phone are they should not open connections to servers with:

invalid (untrusted) certificates
valid certificates for the wrong domain (you can try that with a valid letsencrypt certificate you create for this purpose)
revoked certificates
expired certificates
low security or no encryption

You can also import a generated certificate authority to your phone and see which connections are then trusted.

In the video only the very minimal basic usage is showed. The web page that displays the QR code also lists connection and allows some interactions.

Have fun checking your apps

More by FelixBauer

Docker get me Root 00:33

by FelixBauer 7 years ago

useradd creates a log entry while appending to /etc/passwd does not 00:43

by FelixBauer 1 year ago

Containers - docker 02:24

by FelixBauer 6 years ago

Local privilege escalation with sudo via shell escape 01:12

by FelixBauer 1 year ago

See all

You can download this recording in asciicast v2 format, as a .cast file.

Download

Replay in terminal

You can replay the downloaded recording in your terminal using the asciinema play command:

asciinema play 611940.cast

If you don't have asciinema CLI installed then see installation instructions.

Use with stand-alone player on your website

Download asciinema player from the releases page (you only need .js and .css file), then use it like this:

<!DOCTYPE html>
<html>
<head>
  <link rel="stylesheet" type="text/css" href="asciinema-player.css" />
</head>
<body>
  <div id="player"></div>
  <script src="asciinema-player.min.js"></script>
  <script>
    AsciinemaPlayer.create(
      '/assets/611940.cast',
      document.getElementById('player'),
      { cols: 142, rows: 53 }
    );
  </script>
</body>
</html>

See asciinema player quick-start guide for full usage instructions.

While this site doesn't provide GIF conversion at the moment, you can still do it yourself with the help of asciinema GIF generator utility - agg.

Once you have it installed, generate a GIF with the following command:

agg https://asciinema.org/a/611940 demo.gif

Or, if you already downloaded the recording file:

agg demo.cast demo.gif

Check agg --help for all available options. You can change font family and size, select color theme, adjust speed and more.

See agg manual for full usage instructions.