Having an VPN service available on your mobile devices is undoubtedly quite useful, as it allows Android users to make the most of their Internet connection without getting blocked or bothered by the Internet providers or any unwanted hackers. As a result, many people are looking for capable VPN application on their mobile devices to provide both convenient connections and secured protection for their Android devices.
For that reason, Turbo VPN, with many of its interesting and useful VPN features, will allow mobile users to fully engage themselves in the online experiences. Here in the app, Android users can enjoy their high and stable Internet connection without getting bothered by the reduced speed due to the connected VPNs. And at the same time, the services will protect you from online tracking, malware, hacking, and unlock all the blocked online services whenever you want.
And thanks to the huge collection of different VPN servers all over the world, Turbo VPN can offer its stable and impressive Internet speed to most users. Plus, thanks to the improved and added servers in the recent updates, you can expect the app to offer more and more impressive performances.
Also, as you browse the Internet and get online, your identity will mostly stay exposed to the Internet providers and most other trackers, making you an easy target for their tracking activities. And sometimes, you will find yourself getting hacked, malware, and phishing from online scammers, which is extremely annoying, especially if you have lots of important files on your system. Here, the app will protect your network traffic by enabling your anonymity online and secure the connection from trackers. Using encrypted data, with OpenVPN protocols, you can enjoy your completely secured online experiences.
Chisel is a fast TCP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Written in Go (golang). Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network. Chisel is very similar to crowbar though achieves much higher performance.
Of the four items, only the remote port is required. If no local-host is given, it will assume 0.0.0.0 on the client. If no local-port is give, it will default to the same as the remote-port. If no remote-host is given, it will default to the server. You can give it R for local-host to indicate that you want to listen on the remote host (ie, open the listener on the server). In that case, the tunnel will go in the reverse direction.
At this point, these tunnels can be used to create more complex setups. For example, to go even more layers deep into a network, I can set up listeners on the first hop that forward back to the chisel server on kali, and then create new chisel reverse tunnels from there.
At the same time, with VPN services available on your mobile devices, you can also protect yourself from many unwanted scams from hackers, trackers, and malware that can potentially access your devices through certain exploitations. Here, you can enjoy your complete anonymity and will always stay safe from these unwanted threats on the Internet.
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.
Performing a MitM attack against an HTTPS channel requires the capability for the attacker to be able to add the proxy server Certificate Authority (CA) into the Trust Store of the device running the mobile app and a popular approach is to manually upload the CA to the device, but this comes with some challenges, that may require to root the device and/or repackage the mobile app.
An easier way exists, and in this article I will show how to use an Android Emulator with a writable file system that will allow us to install the proxy certificate directly into the system trusted store, without the need to root the emulator or make changes in the mobile app.
An attacker may want to intercept the communications between your mobile app and your API server in order to collect enough information to automate attacks against it, or just to modify or redirect your data on the fly.
Next we will run ShipFast in the emulator that has been modified to include the mitmproxy certificate in its system trusted store and observe how easy it is to intercept the requests to the API backend by proxing them through the mitmproxy.
Now, login with Auth0, and when you have the main screen click the toggle button in the right bottom corner, and you should be able to keep interacting with the mobile app without seeing any error message. However, if you look at the mitmproxy CLI you can see that the requests being made to the API backend are now visible:
This information is very valuable for an attacker trying to automate attacks against the API backend, because now he has a full view of the life cycle of each request. For example, this approach was what allowed the ShipRaider hacker to build his web app around the ShipFast API backend:
The first thing I always do is sniffing the communication between the app and the server using a proxy server installed on my computer. I use Fiddler but there are many other tools you can use like Charles or mitmproxy. I set the proxy server on the phone to the IP address of the computer (they have to be on the same network) and all the packets from the phone now flow through the computer. A classic man-in-the-middle attack.
The app in our example uses HTTPS so I have to try harder. Luckily Fiddler allows you to capture and decrypt HTTPS traffic. You just need open the browser on your device, go to the IP address of the proxy and install the Fiddler certificate. It does not matter that the app in our example uses HTTPS, I can now see the traffic because it does not check for the correct certificate. When using HTTPS always do SSL pinning. SSL pinning will enable your app to detect scenarios like this and refuse the connection when the certificate is not the one you expect.
The app in our example does not do SSL pinning but I noticed it uses a security token in the header of every request. I can clearly see how to get the server secret and the refresh token, how to use the refresh token but I do not know how to create the security token for every request form the server secret. Do not rely only on HTTPS, always use another mechanism to authenticate the app when not doing SSL pinning. But you should really do SSL pinning.
Finding a method that creates the security token in decompiled Java code is easy when the app is not obfuscated. You just need to do some text search in the Java files. Always obfuscate your code to make this harder. On Android you can also use NDK to protect sensitive parts of the code. Also do not use something predictable like md5(server secret + device id).
It was time to use some of my favorite software reverse engineering techniques to break into Couchsurfing.com. I assumed that their mobile apps must use some sort of API to query the backend. So, I had to intercept the HTTP requests coming from a mobile app to the backend. For that purpose I set up a proxy in the local network, and connected my iPhone to it to intercept HTTP requests. This way, I was able to find access points of their private API and figure out their JSON payload format.
To overcome the encryption in a MITM attack, our Proxy need to act as a CA (Certificate Authority) and generate certificates on the fly. For example if a client tries to connect to www.google.com the proxy dynamically creates a certificate for www.google.com and signs it. Now, the client thinks that the proxy is in fact www.google.com
The first thing I noticed is that every request contains a mandatory header X-CS-Url-Signature which is different every time. I also tried to replay a request after a while to check if there is a timestamp check on the server, and there is none. Next thing to do is to figure out how this signature is calculated. 153554b96e