Friday, June 17, 2011

Intercepting Blackberry Application Traffic


Intercepting mobile traffic is one of the key areas of mobile application penetration testing and Blackberry mobile applicatiosn are no different. In this post, we will look at methods of intercepting blackberry application traffic.

It is important to note that the standalone blackberry simulator does not offer any mechanism to route HTTP traffic over a web proxy. To use a web proxy for traffic interception, one has to use blackberry device simulator + MDS and email simulator. Assuming you have both installed, following steps will allow you to intercept blackberry web traffic.

Case 1: Routing HTTP traffic via web proxy:

  1. Browse to "\Program Files\Research In Motion\BlackBerry Email and MDS Services Simulators #.#.#\MDS\config"
  2. Open the rimpublic.property file
  3. Under the HTTP HANDLER section, add your web proxy configuration information:
application.handler.http.proxyEnabled=true
application.handler.http.proxyHost=<your proxy address>
application.handler.http.proxyPort=<your proxy port>

The following image shows the rimpublic.property file HTTP HANDLER section for fiddler running on port 8888 on localhost.

Web Proxy Configuration
More details on proxy configuration can be seen here. Once you save these settings and launch MDS simulator, you will be able to monitor, intercept and modify all HTTP traffic. However, we still need to put in some extra work for SSL traffic.


Image shows HTTP traffic captured for google.com


Case 2: Routing HTTPS traffic via web proxy:
The above mentioned configuration was not successful when attempted on SSL traffic. It was time for some workaround and I thought of using a reverse proxy. The idea of using reverse proxy had some limitations but it worked seamlessly and allowed me to intercept SSL traffic for a particular domain. To demonstrate this concept, I will be using Charles Proxy's Reverse Proxy. You can use any reverse proxy of your own choice. Lets configure the Charles proxy now.
  1. Obtain the IP address to which the application/browser talks
  2. Obtain the IP for the target domain. nslookup for mail.google.com revealed four DNS entries(74.125.226.184, 74.125.226.182, 74.125.226.181, 74.125.226.183) and one of them was chosen to be destination for reverse proxy settings. See the screenshots below for Charles Reverse Proxy settings.
  3. In the hosts file make an entry to forward all the target domain address to the IP at which reverse proxy is hosted. In our case, I entered the following for mail.google.com
    127.0.0.1 mail.google.com
  4. Now launch your browser and access https://mail.google.com
  5. The blackberry simulator will issue a certificate error. Choose the "Trust Certificate" option, provide certificate store password and  the save your settings.
  6. All the traffic will be routed via Charles now. Enjoy!

To summarize reverse proxy settings (Two sets of entries):
Entry 1: To ensure that all SSL traffic is forwarded to mail.google.com:443
Listening on : 127.0.0.1:443
Forwarding to: 74.125.226.181:443 #one

Entry 2: To ensure that all plain HTTP is forwarded too
Listening on : 127.0.0.1:80
Forwarding to: 74.125.226.181:80
Image shows reverse proxy settings in Charles

Image shows the certificate error issued when https://mail.google.com is access via reverse proxy. Choosing the "Trust Certificate" options allows SSL traffic to be intercepted.

20 comments:

Anonymous said...

Hi i am not able to intercept https request through blackberry simulator.
whereas http is working fine.
Tried this in Charles as u suggested.
What i want is to open a https request through blackberry simulator browser and Charles should be able to intercept.

pls provide your help as its urgent

Gursev Kalra said...

@Anonymous, to intercept blackberry simulator browser, you will need to create this configuration for each website for which traffic interception is required.

Anonymous said...

Have you had any luck intercepting traffic on non-standard http ports(eg. 5543)? This traffic appear to bypass the proxy settings.

Gursev Kalra said...

I did try with one more port (which was not 443), and it worked with similar config. I do not remember the port number though.

Anonymous said...

Hi,

Which Simualtor are you using for blackberry testing. Is there a way to set IMEI no in the Simulator.

Thanks

Gursev Kalra said...

Hi @Anonymous, I am unable to recall the Simulator version i used while writing the blog and didnt need to set any IMEI number. But I would love to know if there's a way to do that.

Anonymous said...

Hi I followed the steps mentioned by you in the blog but still I am unable to intercept the traffic from Blackberry simulator. Is there any other settings which are to be done...

Gursev Kalra said...

@anonymous, the blog contains all the settings i used and they are no different than what worked for me.

Cyril said...

Hi, I am able to intercept traffic from the browser. Please let me know if you have any idea about how can I intercept traffic from mobile application. I am aware that some configurations need to be done in the config of mds but dont know what are the exact parameters. It would be g8 if you can help me on this....

Thanks,

Gursev Kalra said...

Cyril,
If you know the host to which the mobile application talks and configure simulator and proxy according to that. The steps are no different. However, certain applications that use SSL may have home grown CA and may implement their own certificate validation code. Intercepting traffic in such scenarios is harder.

Abhijit Potdar said...

Hi Grusev,
I am trying to intercept HTTP request using blackberry simulator. I am behind the proxy. So, according I have done changes in the rimpublic.property as follows
application.handler.http.proxyEnabled = true
application.handler.http.proxyHost = proxy IP
application.handler.http.proxyPort = Proxy port
I am able to browse internet through blackberry simulator.But unable to intercept request through burp proxy.
Do let me know any changes i need to do ..

Gursev Singh Kalra said...

Hey Abhijit,

Does your application use SSL? If yes, then you might have to configure the reverse proxy on per host basis. If not, I dont see a reason why you will not be able to intercept the traffic.

Abhijit Potdar said...

Hi Gursev,

Thanks for the reply. Yes, now i am able to intercept blackberry browser traffic. However, I have two more queries. When I tried to access facebook through blackberry emulator, I am getting error like "There is Insufficient Network coverage to process your network. Please try again after". But I can see the full network coverage; I have changed battery properties to full.
2nd one how to intercept traffic for blackberry apps.

Regards,
Abhijit.

Gursev Singh Kalra said...

Abhijit,

The "There is Insufficient Network coverage to process your network. Please try again after" error might be due to missing internet connectivity but I may be wrong.

For blackberry apps, you will need to determine the target host and configure the web proxy per host basis.

Gursev

Anonymous said...

Not able to intercept HTTPS and BlackBerry App, I think you should explain in detail.

At least you should show some example of Intercepting App.

Anonymous said...

Not able to intercept the https traffic please explain clearly.Hope you will reply

Gursev Singh Kalra said...

@Anonymous, i have used the exact same steps to intercept SSL traffic, not sure what problems are you facing. The apps you are testing may be using custom certificate validation code causing traffic interception to fail.

za said...

How to intercept network traffic from blackberry device not from simulator?

Upcoming Verizon Phones said...

Really its a interesting blog. because its having the nice message, i got a good time to read your blog. so i would like to thank for creating this interesting blog.

Anonymous said...

Hi everyone! I'm traying to intercept http requests first but I can't, I've done the configurations you've said but in my ZAP application I'm not getting anything... am I missing any easy step you have not posted? Thanks in advance.