During one of latest pentests I tested mobile application.
To perform analysis of the communication protocol and prepare a toolkit for testing network communication, the Android version of the application was used.
Protocol analysis
The protocol is implemented using C++ language, the implementation is included in the native library lib/arm64-v8a/lib[…].so. Wireshark, Frida (the instrumentation toolkit) and Ghidra (a software reverse engineering framework) were used to analyze the protocol.
The application communicates with the servers using TCP port [REDACTED]. Within the protocol, binary packets are exchanged in the following format:
The first two packets (in both directions – application to server and server to application) are in plaintext and have the following format:
After exchanging the plaintext packets, the rest of the communication is encrypted:
To encrypt the RPC messages, the ChaCha20 algorithm is used. The ChaCha20 algorithm is initialized as follows (Python 3 equivalent):
It is important to note that, due to the limited time in the first phase of tests, the algorithm for generating the encryption key was not reverse-engineered, as it was not necessary to prepare a working toolkit – the Frida gadget, which extracts the key from the application’s memory, was used instead. However, reverse engineering of the key generation algorithm will be performed in the next phase, as it is important to verify the security of this mechanism, which is a critical part of the implemented protocol’s security.
Testing toolkit
The prepared toolkit consists of the following modules:
The iptables command is executed on the router to redirect the application’s network traffic to the proxy:
The proxy forwards the traffic to the stream presenter, which is responsible for decrypting and presenting the RPC messages in a human-readable format, e.g., an RPC message responsible for changing the user’s city (number 6), sent as a serialized binary data:
Is decoded to the following format:
The proxy also forwards the traffic to the stream processor, which decrypts the RPC messages, optionally modifies them, encrypts them, and returns them to the proxy, which then forwards them to the server. The traffic sent in the opposite direction (from the server to the application) is processed in a similar way. Additionally, there are two helper modules: the console, which allows configuration of the stream processor (e.g., setting filters on which RPC messages should be intercepted and presented for modification), and the key extractor, which is a Frida gadget that extracts the encryption key from the application’s memory. This is achieved by intercepting one of the functions from the lib/arm64-v8a/lib[…].so library, which is responsible for initializing the encryption keys for the ChaCha20 algorithm. The function was located and reverse-engineered using Ghidra framework:
Intercepting the above function allows the extraction of the keys using the following Frida gadget:
An example session of using the toolkit is presented below:
Next part
As the key generation algorithm has been analyzed, it was possible to perform two attacks on the encryption key exchange protocol: Man-in-the-Middle and brute-force.
How it was found and exploited will be shown in next article.
