my computer
my data
my code
liberating your data from user-hostile apps
Slides: captnemo.in/talks/
FOSSUnited BLR, Feb 2024
SSID: Smallcase_Guest passphrase: nofreewifi@sc
Please Connect
NEMO
@nemo@tatooine.club
captnemo.in/contact/
VIVEK
@ccrims0n
FOSS is Amazing
Anyone disagrees?
FOSS 💗
[Data Ownership]
Photoshop CS4
- Closed-Source
- PSD Files
- Data with you
Inkscape
- Open Source
- SVG Files
- Data with you
Modern Mobile Apps
- Light API Clients
- Local Cache Storage
- No Data Export
- No concept of "Files"
MY DATA
MY CONTROL
FOSS
⇏
Data Ownership
Pitch
This 2 hour workshop will guide users through analysing a real application,
and re-implementing it in just enough in code to get your own data out.
Workshop Agenda
Foundations
Why?
HTTP, Proxies, Apps
Tooling Intro
1.
Traffic Capture
Capture HTTPS traffic
Analyse APIs
Generate Code
2.
Write Code
Make API Calls
Extract your Data
Write a CSV
3.
AUDIENCE POLL
API
HTTP
TLS
TCP
wikipedia.org/wiki/Internet_Protocol_version_4
wikipedia.org/wiki/Transmission_Control_Protocol
tls12.xargs.org
QUIC/HTTP3
HTTPS/GraphQL
HTTPS/GraphQL
HTTP(s)/Websocket
- Client
- Server
- Proxy
- TLS Termination
Terminology
curl \
--verbose \
--head \
https://httpbin.org/ip
What does a HTTP Client Do?
[Browser] Web Inspector -> Network -> Play
hoppscotch.io -> Play
Read headers. See docs at httpbin.org, try different requests.
Copy as CURL from browser. Open in $TOOL.
- Bruno [P🔓]
- Insomnium [H🔓]
- Postman [H,P]
- firecamp.dev* [P]
- hoppscotch.io* [P🔓]
What does a HTTP Client Do?
[Browser] Web Inspector -> Network -> Play
hoppscotch.io -> Play
Read headers. See docs at httpbin.org, try different requests.
Copy as CURL from browser. Open in $TOOL.
| Tool | Gotcha | Plus |
|---|---|---|
| Bruno | Needs install | FOSS, No Login |
| Postman | Closed-Source. Needs install | |
| Insomnium | Needs Install | FOSS |
| Firecamp | Login to Import, No HAR support | Works in Browser, FOSS |
| Hoppscotch | No HAR support | Works in Browser, FOSS |
1.
Resolve DNS
2.
TCP/UDP Connection
for HTTP/QUIC
3.
Negotiate TLS
5.
Receive and Parse Response
4.
Build and Send Request
6.
Render?
1.
Resolve DNS
2.
TCP/UDP Connection
for HTTP/QUIC
3.
Negotiate TLS
5.
Receive and Parse Response
4.
Build and Send Request
6.
Render?
; pause
Privacy Note
All traffic on your device might be visible to my laptop.
The proxy is running in "memory" mode, without any logs.
I do not want your data, this is for ease of use.
You can run your own.
$ python -m venv workshop
$ source workshop/bin/activate # in linux/macos/WSL
$ workshop\Scripts\activate.bat # in cmd.exe
$ workshop\Scripts\Activate.ps1 # In PowerShell
$ pip install mitmproxy
$ mitmweb
Check your Private Network IP Address. This is PROXYIP
PROXYPORT=8080
Open http://127.0.0.1:8081 in your laptop browser.
Running mitmweb
Proxy Configuration
| 8571 | U8571 | xcmgc |
|---|---|---|
| Port | USERNAME | PASSWORD |
Settings -> WiFi -> Select Network ->
(View More|Scroll Down) -> // maybe?
Proxy Configuration ->Manual
Hostname = mitm.captnemo.in
Port = 8571 (use your own)
On your DEVICE, On Chrome/Safari -> Browse to http://mitm.it
Follow instructions.
Now on your LAPTOP, open
https://mitm.captnemo.in:18571
Use your creds.
On your DEVICE, on Chrome/Safari
http://httpbin.org
Status
Proxy Configuration
Your mobile device should be using the proxy on the default browser, even with HTTPS.
1.
mitmweb access
You should be able to access your mitmweb instance in your laptop, and it should have some traffic from your browser.
2.
Android <7, iOS
Traffic for most apps should be visible in mitmweb.
3.
- By default, apps only honor the "system" CA store.
- The certificate you installed goes to your "user" store.
- On rooted devices, you can write to "system" store.
- Apps can opt-in to the "user-store".
- We will patch the apps with the "opt-in".
https://hub.docker.com/repository/docker/captn3m0/apk-mitm/general