During the internship, I was exposed to some SDL security testing work. It turns out that I learned a lot about penetrating on the web side, but I basically didn’t try much on the mobile side. As a result, I kept running into pitfalls at the beginning and couldn’t even capture packets (T▽T).
Below I record some of the problems and solutions I encountered. Since the problems are too basic, I don’t have the nerve to ask my bosses and colleagues for advice. I basically learned and solved them by myself. Everyone is upset and I lightly complain. Please let me know if I’m wrong~
Mobile packet capture configuration (Android)
Materials: rooted mobile phone, Magisk framework, EdXposed framework, riru-edxposed module
It is suggested that you can directly buy a rooted mobile phone, which can be done by Xiaomi or Xiaomi. Directly asking the boss to help you install the mask and EdXposed framework will save a lot of time. I also directly bought a Xiaomi rooted machine.
After getting the mobile phone, you first need to import your own burp certificate just like capturing packets on the web side. Export the certificate from here, modify it to cer format, upload it and install it on your phone. The phone is usually in Settings->System Security->Encryption and Credentials, and can be installed from the storage device.
After the certificate is installed, configure the proxy. This is the same as capturing packets on the web side. Let the mobile phone and computer be on the same network, add a listener here in burp->Proxy->Options, the ip is the computer ip, the port can be set as you like, and the rest does not need to be modified.
On the mobile side, you can add a manual proxy directly in the wifi settings. If you find it troublesome, you can also use proxy software such as Drony.
After completing this, you can capture simple APP data packets. If you only need to test some APPs without shells or without any security verification mechanism, this is enough. For simple testing needs, it is enough to use the simulator directly. There are many tutorials available on Baidu.
Troubleshoot certificate issues
In many cases, due to some mechanisms of Android 10, the certificates we imported cannot be used, resulting in the failure to capture the package. Here we need to use the Move Certificates module to convert the user certificate to a system certificate. The following is a tutorial.
The Move Certificates module can be installed directly in the Magisk framework, or you can download it from github and install it locally. Start the module after installation
Restart your phone and you will see that the user certificate has been converted to a system certificate.
Bypass ssl verification
If the APP's traffic is transmitted using the HTTPS protocol, SSL will be verified. During the testing process, I encountered many APPs that had no problem with the previous configuration but still could not catch the package. Check the terminal error message as follows:
javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found
或
javax.net.ssl.SSLPeerUnverifiedException: Certificate pinning failure!
Peer certificate chain:
It seems that the problem is caused by the SSL detection mechanism, which can be bypassed using the SSLUnpinning module.
The SSLUnpinning module can be downloaded directly from EdXposed Manager. If it cannot be downloaded, you may need to hang up a VPN, or you can go to github to download and install it yourself. github link
Remember to activate the module after adding it, otherwise it will not take effect.
Just select the app you want to test in SSLUnpinning. It seems that just selecting one here will bypass all apps.
The test can capture packets normally
【Continuing to add...】
[The following is the most comprehensive software testing engineer learning knowledge architecture system diagram in 2023 that I compiled]
1. Introduction to Python programming to mastery
2. Practical implementation of interface automation projects
3. Web automation project actual combat
4. Practical implementation of App automation project
5. Resumes of first-tier manufacturers
6. Test and develop DevOps system
7. Commonly used automated testing tools
8. JMeter performance test
9. Summary (little surprise at the end)
life is long so add oil. Every effort will not be disappointed, as long as you persevere, you will eventually be rewarded. Cherish your time and pursue your dreams. Don’t forget your original intention and forge ahead. Your future is in your control!
Life is short and time is precious. We cannot predict what will happen in the future, but we can control the present. Cherish every day, work hard, and make yourself stronger and better. With firm belief and persistent pursuit, success will eventually belong to you!
Only by constantly challenging yourself can you constantly surpass yourself. Keep pursuing your dreams and move forward bravely, and you will find that the process of struggle is so beautiful and worthwhile. Believe in yourself, you can do it!
Finally, I would like to thank everyone who reads my article carefully. Reciprocity is always necessary. Although it is not a very valuable thing, if you can use it, you can take it directly:
This information should be the most comprehensive and complete preparation warehouse for [software testing] friends. This warehouse has also accompanied tens of thousands of test engineers through the most difficult journey. I hope it can also help you!
