This post was originally published on Medium
It shouldn't come as a surprise that data is gold, and tech and non-tech companies alike are rushing to obtain it. Unfortunately for you and me, that means our privacy, both digital and non, is being encroached upon. From app developers stealing digital candy from babies to the myriad of Facebook privacy violations, all of our activity on any smart device is being tracked, mapped, and then cashed.
Like prior gold rushes, online privacy has become a very political and nuanced issue; ergo, only a select few are fully aware of the scope and influence of today's 49ers. The intent of this article is to empower you to pan the gold flowing down the data steams of your computer, phone, thermostat, etc. using mitmproxy.
Note:
Before we get our hands dirty, let's take a quick look at what we're working with (feel free to skip ahead if your a know-it-all):
Hypertext Transfer Protocol defines how a client (i.e. your web browser/phone) and server (i.e. Facebook, Yelp, Google, etc) should converse with one another. It's structured around a request-response cycle. For example, we request the webpage www.google.com and Google responds with a packet of files. There's a few additional features involving caching and relaying requests, but that's out of the scope of this article.
To prevent eavesdropping and man-in-the-middle attacks (more on this later), we updated the security of HTTP by adding an encryption layer (SSL). With HTTPS, the data is encrypted bidirectionally- meaning, both the client and server encrypts their data. Before the client approves the response, it'll first verify the server's identity by ensuring it has a certificated signed by a trusted CA (Certificate Authority). There's a few more nuances here, but again, it's out of the scope of this article.
mitmproxy is a suite of tools used to intercept and modify the web traffic described above. If we dissect the name, we see it's employing a man-in-the-middle (i.e. MITM) via a proxy server (i.e. an intermediary between the client and server). For HTTP requests, mitmproxy simply receives the requests, passes it along to the server, receives that response, then passes it back to you (the client). For HTTPS requests, mitmproxy acts as the CA. Now, before you go hacking the world, understand that mitmproxy is an untrustworthy CA, so you (the client) have to deliberately trust the mitmproxy cert before it can actualize a successful MITM attack.
Let's begin.
Don't have Homebrew? Install it here (don't worry- Homebrew is trustworthy and a very cool way to install the things you need in life 😇)
Note:
Copy the directory containing your mitmproxy certificates to your Downloads folder with the following command:
Open the mitm folder and double-click the mitmproxy-ca.pem
file (this should
open up Keychain Access). Double-click the mitmproxy listing, and then
change the Secure Socket Layer (SSL) to Always Trust.
Alternatively, you can visit http://mitm.it, click the Apple symbol, and then follow their directions (we'll need access to the .mitmproxy directory in the next step though). You also need to setup your browsers before doing so (see next steps).
Note:
Go to System Preferences > Network > Advanced… > Proxies
From there select HTTP and HTTPS, and then input 127.0.0.1 as the server name (left of the colon) and 8080 as the port (right of the colon). Make sure you fill out the forms for both HTTP and HTTPS! Click OK and then Apply.
Go to Firefox's preferences (command + ,). Scroll to the Network Proxy header and then click the Settings… button (alternatively, just search for “proxy”). In the following screen, select Manual proxy configuration radio button, and then input 127.0.0.1 as both the HTTP proxy and SSL proxy, with 8080 as the port.
Return to the preferences screen, in the Privacy & Security section, scroll to the Security header and under the Certificates sub-header, click the View Certificates… button (alternatively, just search for “certificates”). From there, click the Import… button and select the mitmproxy-ca.pem file from the mitm directory (located in your Downloads folder). Click the OK button when finished.
Note:
Get your router's IP address from System Preferences > Network screen (it should be listed under your WIFI's name).
Next, send the mitmproxy-ca.pem cert to your phone, either via email or airdrop. Once received, simply click Install and your phone will do the rest. In Apple's eyes, this cert looks a bit sketchy, so we may need to advisedly trust it by going to Settings > General > About > Certificate Trust Setting and enable FULL TRUST FOR ROOT CERTICATES for mitmproxy.
On your phone, in the Settings > Wi-Fi screen, tap the blue ⓘ next your network's name. Scroll down to HTTP PROXY and set Configure Proxy to Manual. Input your IP address in the Server field and 8080 in the port field.
Note:
mitmproxy is now setup!
If you're not running the proxy, your internet will be broken. Go back and reset your browser/network's proxy settings and turn off the HTTP proxy on your phone to go back to the good ol' non-mitmproxied internet :)
Note:
Let's take a look at the data we're getting in. Fire up mitmproxy and then visit the site of your choosing: say www.wired.com for example. Before doing so, let's nuke our browser cookies and history, and then close all the apps on our phone.
Take a look at the second request near the big red arrow. On the first line we see the client's request, including:
The second line contains the server's response, including:
Another thing to note is the number on the bottom. By the time the page loaded, the client (i.e my browser) made ~100 requests! Keep in mind this includes requests made by browser extensions and trackers as well.
Before we track down some trackers, I want to give you a few shortcuts.
Let's find a tracker! Web beacons (A.K.A tracking pixels) are often loaded onto a webpage as a tiny gif. Let's find one by typing f to set a view filter, then type
Ugh, I'm showing around 70 results pop up. Mostly from Parse.ly or Wired's parent company Condé Naste. Gross. Selecting a random request (by pressing enter) doesn't reveal too much… mostly that I'm on a desktop and they're tracking the time I've been on their site.
How about JSON requests:
Not too many results, but randomly inspecting a request, I can find my exact location in the response payload… creepy.
Let's take a look at what my phone is puking out. I've opened up the Dictionary app and here's the results:
More than half of the network activity is dedicated to ads. sad. After letting it sit a while, my background app activity kicks in. Notice the different HTTP methods: Most are XML related (PROPFIND and PROPPATCH) or are some preflight requests (OPTIONS).
Welp, that's about it. I'd encourage you to continue poking around and please let me know if you find anything weird. This is just the tip of the iceberg. You can use mitmproxy to also modify data streams, which opens the doors to who knows what.
Thanks!
Comments