Skip to content

MiTM Usage

Jump to bottom
Jmaxxz edited this page Jul 15, 2016 · 6 revisions

MiTM Proxy is an absolutely amazing tool for figuring out messing with any (mobile) application which is backed by remote web-services. The August mobile application is no exception. In its default mode the August application uses a form of certificate pinning which will prevent MiTM proxy from being able to intercept/modify traffic. One of the most reliable ways to bypass certificate pinning on any jailbroken iOS device is to use SSL kill switch2. If disabling SSL system wide is not an option or the device is not jail broken you can use a hidden 'feature' of the August application which allows certificate pinning to be bypassed see Defeating Cert Pinning.

Below I've included a brief description of the three mitmproxy modes I find most useful and when/how to use them. The descriptions provided are no substitute for reading mitmproxy's excellent documentation.

Reverse Proxy

This is mode should be used if a custom endpoint was specified in the August application.

mitmproxy -w $(date +%Y%m%d%H%M%S) \
          --anticache \
          -R https://production.august.com \
          -p 1337 \
          --setheader :~q:Host:production.august.com

Transparent Proxy

This mode should be used if the computer running MiTM proxy is in the network path the phone is using to communicate with the internet (i.e. if the computer is providing the network connection to the phone).

mitmproxy -w $(date +%Y%m%d%H%M%S) \
          --anticache \
          --transparent \
          --ignore '(^(.+\.)?apple\.com:443$)\
                   |(^(.+\.)?google\.com:443$)\
                   |(^(.+\.)?icloud\.com:443)$\
                   |(^(.+\.)?cydia\.com:443$)\
                   |(^(.+\.)?mzstatic\.com:443$)\
                   |(^(.+\.)?google-analytics\.com:443$)'

Normal HTTP(S) Proxy

This mode should be used in all other situations.

mitmproxy -w $(date +%Y%m%d%H%M%S) \
          --anticache \
          -p 1337 \
          --ignore '(^(.+\.)?apple\.com:443$)\
                   |(^(.+\.)?google\.com:443$)\
                   |(^(.+\.)?icloud\.com:443)$\
                   |(^(.+\.)?cydia\.com:443$)\
                   |(^(.+\.)?mzstatic\.com:443$)\
                   |(^(.+\.)?google-analytics\.com:443$)'

If you break yours or anyone else's lock it is your own fault. While I've tried to make both the tools and directions in this repository easy to use there is an inherent risk associated with any project like this. Please use all information provided on this site in a responsible manner. As with any lock picking only use these tools and information on locks you own or have permission to manipulate.

API

MTiM proxy

iOS App

Bluetooth

Firmware

Hardware

Clone this wiki locally