TCP/IP layering
The layering of TCP/IP is divided into four layers: application layer, transport layer, network layer, and data link layer;
- Application layer: communication activities (ftp, dns, http) when providing application layer services to users
- Transport layer: data transmission between two computers in a network connection (tcp, udp)
- Network layer: Process the data packets flowing on the network, and what transmission path is used to transmit the data packets to the other party (ip)
- Network link layer: hardware-related network cards, device drivers, etc.
HTTP/HTTPS
HTTP
HyperText Transfer Protocol (Hypertext Transfer Protocol) is used to transfer information between a Web browser and a website server, at the application layer in TCP/IP
- By using plain text, content can be tapped
- Does not verify the identity of the communicating party, so it may encounter masquerading
- Unable to prove the integrity of the message, so it may be tampered with
HTTPS
The S in HTTPS means SSL or TLS, which is to add a layer of security for data encryption, decryption, and identity authentication on the basis of the original HTTP.
- HTTP + encryption + authentication + integrity protection = HTTPS
HTTPS one-way authentication:
HTTPS two-way authentication:
Principle of packet capture
Anti-capture packet: proxy detection
Use a network proxy after detecting the incident.
Set the network library (such as the okhttp library) to proxy-less mode and do not use the system proxy
httpURLConnection:
URL url = new URL(urlStr);
urlConnection = (HttpURLConnection)url.openConnection(Proxy.NO_PROXY);
OKHttp
OkHttpClient client = new OkHttpClient().newBuilder().proxy(Proxy.NO_PROXY).build();
How to capture the package that sets the code behind the above?
Use HOOK technology
Anti-capture: certificate fixed
SSL-Pinning
- Certificate Pinning
is built into the client code to only receive the certificate of the specified domain name, and not any certificate corresponding to the CA root certificate built into the operating system or browser. - Public Key Pinning (Public Key Pinning)
extracts the public key in the certificate and builds it into the client, and verifies the accuracy of the connection by comparing the bow with the server.
How to crack certificate pinning (SSL-Pinning)
Xposed framework + justTrustme module
- Xposed framework: The widely used HOOK framework on Android. The plug-in module made based on the Xposed framework can hook any application layer java function and modify the function implementation.
- justTrustMe plugin: justTrustMe is an Xposed-based module used to disable and bypass SSL certificate checks. HOOK all the APIs used to verify the SSL certificate in the Android system to bypass the certificate check
Anti-grabbing: solve HOOK
- Check HOOK: Check Hook frameworks such as Xposed, Frida, and Substrate
- Use Socket connection: Use Socket to go TCP/UDP to prevent the application layer from being captured
- Transmission data encryption: protocol fields are encrypted for transmission, and keys are hidden, and application layer reinforcement
- Native layer transmission: write the network transmission logic to jni to improve the threshold of decompilation