Memoirs of an API Hacker: Intercepting Encrypted Mobile Traffic to Hack a Bank's API Server

Updated: Dec 2, 2020

“Abashed the devil stood and felt how awful goodness is and saw Virtue in her shape how lovely: and pined his loss” -John Milton

In a recent penetration test of a large bank, I was able to transfer money to any account and change any customer's ATM debit card PIN with no authentication through the bank's API servers the mobile application communicates with. While I was able to successfully reverse engineer the Android app using MobSF, I wasn't so successful in finding the numerous POST and GET requests the mobile app uses when communicating with the bank. A HTTP POST is a type of HTTP request that instructs the receiving web server to accept and store the contents found in the body of the HTTP request, often times a file upload or user input to the fields of a web form.

Thus began my adventures into finding a more creative way of finding the correct API calls manually by intercepting the traffic between my mobile phone and the bank's API server. Once I had all of the numerous strings snagged in mitmproxy, I was able to then load the POST requests complete with the expected HTTP header fields into Postman -- an API client capable of sending requests to an API server allowing the user to inspect the response for further analysis or debugging.

Wireshark is shown here in this article to provide evidence of the captured network traffic after successfully setting up my iMac to capture my iPhone’s traffic. Mitmproxy was used as the SSL person-in-the-middle (PITM) tool to decrypt the SSL traffic. While Wireshark can not be used to inspect SSL/TLS encrypted traffic leaving your phone, it is important to use in a penetration test to confirm the mobile app is not sending any sensitive data unencrypted over HTTP. Therefore, I’ve broken this article up into two approaches, one using Wireshark to inspect unencrypted HTTP traffic and another using mitmproxy for the attack I employed against the API server once I had the URIs.

This article explains how to intercept the traffic egressing an iPhone using a Mac. In my setup, I'm using an iPhone 11 Max Pro and iMac Pro 2017 running MacOS Catalina 10.15.2.

Step 1: Discover your phone's unique identifier. Before doing anything, you'll first want to make sure XCode is installed on your Mac. To do so, simply search for XCode in the Mac app store. Once XCode is installed, connect your iPhone to your Mac using a lightning cable and look for the Identifier for your phone as seen in my screenshot below in Figure 1.