my computer
my data
my code

liberating your data from user-hostile apps

Slides: captnemo.in/talks/

FOSSUnited BLR, Feb 2024

SSID: Smallcase_Guest

passphrase:

nofreewifi@sc

Please Connect

NEMO

@nemo@tatooine.club

captnemo.in/contact/

VIVEK

@ccrims0n

FOSS is Amazing

Anyone disagrees?

FOSS 💗

[Data Ownership]

Photoshop CS4

  • Closed-Source
  • PSD Files
  • Data with you

Inkscape

  • Open Source
  • SVG Files
  • Data with you

Modern Mobile Apps

  • Light API Clients
  • Local Cache Storage
  • No Data Export
  • No concept of "Files"

MY DATA

MY CONTROL

FOSS

Data Ownership

Pitch

This 2 hour workshop will guide users through analysing a real application,
and re-implementing it in just enough in code to get your own data out.

Workshop Agenda

Foundations

Why?

HTTP, Proxies, Apps

Tooling Intro

1.

Traffic Capture

Capture HTTPS traffic

Analyse APIs

Generate Code

2.

Write Code

Make API Calls

Extract your Data

Write a CSV

3.

AUDIENCE POLL

API

HTTP
TLS

TCP

wikipedia.org/wiki/Internet_Protocol_version_4

wikipedia.org/wiki/Transmission_Control_Protocol

tls12.xargs.org

QUIC/HTTP3

HTTPS/GraphQL

HTTPS/GraphQL

HTTP(s)/Websocket

  • Client
  • Server
  • Proxy
  • TLS Termination

Terminology

curl \

--verbose \

--head \

https://httpbin.org/ip

What does a HTTP Client Do?

[Browser] Web Inspector -> Network -> Play

hoppscotch.io -> Play

Read headers. See docs at httpbin.org, try different requests.

Copy as CURL from browser. Open in $TOOL.

  • Bruno [P🔓]
  • Insomnium [H🔓]
  • Postman [H,P]
  • firecamp.dev* [P]
  • hoppscotch.io* [P🔓]

What does a HTTP Client Do?

[Browser] Web Inspector -> Network -> Play

hoppscotch.io -> Play

Read headers. See docs at httpbin.org, try different requests.

Copy as CURL from browser. Open in $TOOL.

Tool Gotcha Plus
Bruno Needs install FOSS, No Login
Postman Closed-Source. Needs install
Insomnium Needs Install FOSS
Firecamp Login to Import, No HAR support Works in Browser, FOSS
Hoppscotch No HAR support Works in Browser, FOSS

1.

Resolve DNS

2.

TCP/UDP Connection

for HTTP/QUIC

3.

Negotiate TLS

5.

Receive and Parse Response

4.

Build and Send Request

6.

Render?

1.

Resolve DNS

2.

TCP/UDP Connection

for HTTP/QUIC

3.

Negotiate TLS

5.

Receive and Parse Response

4.

Build and Send Request

6.

Render?

; pause

Privacy Note

All traffic on your device might be visible to my laptop.


The proxy is running in "memory" mode, without any logs.


I do not want your data, this is for ease of use.


You can run your own.

$ python -m venv workshop
$ source workshop/bin/activate # in linux/macos/WSL
$ workshop\Scripts\activate.bat # in cmd.exe
$ workshop\Scripts\Activate.ps1 # In PowerShell
$ pip install mitmproxy
$ mitmweb

Check your Private Network IP Address. This is PROXYIP

PROXYPORT=8080

Open http://127.0.0.1:8081 in your laptop browser.

Running mitmweb

Proxy Configuration

8571 U8571 xcmgc
Port USERNAME PASSWORD

Settings -> WiFi -> Select Network ->

(View More|Scroll Down) -> // maybe?

Proxy Configuration ->Manual

 

Hostname = mitm.captnemo.in

Port = 8571 (use your own)

 

On your DEVICE, On Chrome/Safari -> Browse to http://mitm.it

Follow instructions.

Now on your LAPTOP, open

https://mitm.captnemo.in:18571

Use your creds.

On your DEVICE, on Chrome/Safari

http://httpbin.org

Status

Proxy Configuration

Your mobile device should be using the proxy on the default browser, even with HTTPS.

1.

mitmweb access

You should be able to access your mitmweb instance in your laptop, and it should have some traffic from your browser.

2.

Android <7, iOS

Traffic for most apps should be visible in mitmweb.

3.

  • By default, apps only honor the "system" CA store.
  • The certificate you installed goes to your "user" store.
  • On rooted devices, you can write to "system" store.
  • Apps can opt-in to the "user-store".
  • We will patch the apps with the "opt-in".

 

https://hub.docker.com/repository/docker/captn3m0/apk-mitm/general

Android >7

FOSS United Workshop - My Computer, My Data, My Code

By Nemo

FOSS United Workshop - My Computer, My Data, My Code

This 2 hour workshop will guide you through analysing a real application, and re-implementing it just enough in code to get your own data out.

  • 100