Saturday, September 14, 2013

iPhone Traffic - ZAP’ed, Security, and Network Tap Tap Tapping

This week brought in a very interesting post from web security/developer Troy Hunt.

 Unearthing the hidden shortcomings in Aussie mobile app security - Troy Hunt’s blog

Please go read then come back.

Interesting isn’t it?

I know most GSD readers probably wouldn’t be surprised to find some of their favorite mobile-apps leak user ids and passwords in plain-text, but for those who don’t know, some do.

Case in point (that has now been reported as fixed!):  Zscaler Research: Mobile App Wall of Shame: ESPN ScoreCenter

Naturally that got me thinking about a common mantras in the For/Sec world; “know your tools” & “verify, verify, verify”.

What I want to do is some benchmarking and analysis of the mobile apps I use on my own iPhone to have a better understanding on what is happening with their network traffic. This would be valuable information to know for general usage, and critical knowledge in case you unknowingly encounter a Wi-Fi Pineapple in the wild or a more complex man-in-the-middle Wi-Fi attack and get your network traffic captured.

One super-easy (and lazy) way I have found is to use ZAP - Zscaler Application Profiler.  From the “About” page link:

About ZAP

Zscaler Application Profiler (ZAP) is web based tool designed to streamline the capture and analysis of HTTP(S) traffic from mobile applications. ZAP is capable of analyzing traffic from both iOS and Android applications and includes the following functionality:

  • Search: View summarized historical results for past scans.
  • Scan: Proxy traffic from a mobile device through the ZAP proxy and the mobile app traffic will be automatically captured and analyzed
  • iPCU: Upload your iOS device configuration file(.deviceinfo) to check risk score of installed application. It will give you overall risk score of your device. The information provided is based on out knowledge base.

ZAP classifies traffic into the following buckets and calculates an overall risk score for the application:

  • Authentication: Username/password sent in clear text or using weak encoding methods.
  • Device Metadata Leakage: Data that can identify an individual device, such as the Unique Device Identifier (UDID).
  • Personally Identifiable Information Leakage: Data that can identify an individual user, such as an email address, phone number or mailing address.
  • Exposed content: Communication with third parties such as advertising or analytics sites.

Zscaler also has a detailed video on this service on their blog: Zscaler Research: Introducing ZAP.

So you can either check their historical report data on apps already researched, you can connect your device to their proxy to do a scan on a new app/version not already captured historically, or even upload your own iOS device config file.

Wow.  Bookmark this resource link now!

However, there may be cases you want to do your own local network traffic capture and analysis…because you like pain and frustration (and hands-on learning perhaps).

Part I - In Which Hardware TAP Options are narrowed down

At work (when & where authorized) we can set up network packet captures either on a specific system or on the LAN using port-SPAN.

At home, I don’t have a managed switch (or dumb hub) that can do that.  I suppose I could buy a USB-NIC (so I can have two wired network ports on my laptop) and then capture traffic temporarily though one of these messy devices (home-built or purchased) but that isn’t quite as elegant as I would prefer.

Or (as the TinyApps bloggist kindly just reminded me) use Cain & Abel.

Instead I decided I'll pick up a specialized device that support a network TAP.  This way I can just hook it in line between my Wi-Fi router and the cable modem and capture everything that passes though. It may not be 100% on packet captures, but I think it will be good enough for my home testing.

So the next question is what device?

I’ve settled on the following options:

The DCSW-1005 model is an attractive basic option. It supports port-mirroring, is USB powered, and has 5-ports. (note only port #1 is mirrored to port #5).  The price is good.  The only “drawback” I see is that it only supports 10/100 speed on the network.  While I seriously doubt I would ever approach over 100 Mbps and cause a bottleneck on my home network…most all my other network equipment is 1000 Mbps capable.  So thinking forward, this could be slightly limiting down the road, or if I am asked by family/friends/associates to do some network troubleshooting on a “true” 1000 Mbps network, or tapping in between two network devices actually running at 1000 Mbps.  So there is that. Also, the buffer memory used by the device in the mirroring process is 256 KB. So if that gets saturated, there is the possibility of dropped packet captures.

The only difference between the DCGS-2005/2005L seems to be the “L” model has a metal cabinet while the other doesn’t. Of course, that option comes with a $20 markup as well.  I’m pretty sure the plastic cabinet would be just fine, but the vanity in me just likes the metal cabinet appearance a bit more. Probably just a bit more durable when tossed around in a go-bag and maybe it might dissipate heat a bit better? This model does support up to 1000 Mbps so there is that benefit since it is (at least $100 more expensive) but the buffer memory is just 104 KB. Hmmm. 

Should I be concerned about overloading either of the devices’ memory buffer when capturing home-network traffic? Probably not but what say you pros?

I did find these pretty basic and older reviews, including one from the guru of network security Richard Bejtlich.  I really didn’t find any more recent reviews of the device so if/when I get my hands on one, you can be assured I’ll have a write-up review.

Part II - In Which Other Alternatives are discovered

So let’s assume that you are already comfortable with network packet captures, installing network software, and making network configuration changes to Wi-Fi devices.

Are there any options to capture iPhone network traffic without going to the trouble and expense of picking up TAP hardware just for that task?


First option is a tool called Paros. It is Java based (I know, I know..) and can assess web application vulnerabilities. The link has a Windows binary that appears back from August 2008.

Here is a nice walkthough on using Paros Sniff Your iPhone's Network Traffic by Jerod Santofrom to give you some introduction to it.

There was a comment on the Paros page providing information to a very current “fork” of Paros: ZAP

(Note: Not to be confused with the Zscaler ZAP service)

OWASP Zed Attack Proxy Project - OWASP -

There are tons of information on that page on this tool:

And here are some quick links on ZAP usage:

Next up, we have Fiddler, a free web debugging proxy from Telerik

Finally, if you are hard-core, just go use Wireshark.

Part III - Resources, References, & Pineapples

Here are some additional links related to all of the above discussions including the Dualcomm products, SPAN/TAP considerations, and the next network device I’m interested in picking up to play with; the Wi-Fi Pineapple.

SPAN Out of the Box (PDF Link) - John He’s Dualcomm Technology PowerPoint presentation at SharkFest 2010. Goes into details about SPAN/TAP considerations and specifics on what DualComm feels makes their product super special. SPAN out of the Box (Blip video)

B-7 (Battaglia) TAPS Demystified (PPT Link) - Samuel Battaglia’s Network Critical PowerPoint presentation at SharkFest 2010.

SPAN Port vs TAP (Video) - Betty DuBois- SharkFest 2009 presentation. PowerPoint presentation here (ZIP).

SPAN Port or TAP? CSO Beware - LoveMyTool blog - Tim O’Neill

Network Monitoring Madness: Poor Man’s Resource Linkfest - GSD blog post from 2010.

Let’s Get For/Sec-Motivated! - GSD blog post from 2011.

The beginners guide to breaking website security with nothing more than a Pineapple - Troy Hunt’s blog.

Your Mac, iPhone or iPad may have left the Apple store with a serious security risk - Troy Hunt’s blog.

Pineapple Surprise! Mixing trusting devices with sneaky Wi-Fi at #wdc13 - Troy Hunt’s blog.

Netgear DS104 4-Port 10/100 Dual Speed Hub with Uplink Button (Amazon link) - recommended to look into as well by TinyApps bloggist who reports he had good experience with it.

CaptureSetup/Ethernet - The Wireshark Wiki

CaptureSetup/WLAN - The Wireshark Wiki


--Claus Valca

No comments: