YITM - "You're In The Middle"
by Edster from Dublin Ireland
Please note - information in this article is for educational us only blah blah blah, please don't do anything illegal, immoral, even impossible. Don't stalk anyone.
The name of my article is "YITM" or "You're In The Middle." This is similar to "Man-in-the-Middle," where someone else intercepts your network packets going back-and-forth between you and the server you are accessing to fetch a website or pick up your emails or data, but this time you are the person intercepting your own data.
The first obvious question would be: Why do you want to intercept your own data as you already know what you are sending or receiving? The answer is simple: you do not really know what you are sending. The data is not coming from you directly, but instead it is the data that the apps on your phone are sending on your behalf (and often without your knowledge).
The setup for this is fairly easy. You will need software to capture the packets as they fly past. I use Charles Proxy, but as it is a paid app, you can also do a quick search for "free MITM tools" and you will find other options if you want to play for free. You now change the settings on your phone's Wi-Fi connection to proxy via this bit of software. For me, it means tapping on the Wi-Fi settings on the phone and setting the proxy to manual, setting the server address to the IP address of my laptop, and the port to 8888. Now any data sent in or out of the phone's Wi-Fi connection will show up on the screen. Depending on the setup, you may wish to add a root certificate to allow you to catch the secure HTTPS (TLS) traffic. This is normally very simple and can be done in seconds by following the proxies' instructions. For example, with Charles, you send your phone to a local web address and click "Yes" a few times to install the cert that downloads. Job done.
If this is your first time monitoring a phone, you'll be surprised at how much data flows back-and-forth. You may want to shut down all the apps except the one you are watching to keep the data a bit cleaner. Run your apps one at a time and see how much information they give away about you, or about the service that you are accessing.
To get some examples of the sort of information that "leaks" out, I installed two types of apps that would (or rather should) have security built in: dating apps and banking apps. Most of the apps were not too bad. Most of them didn't send too much data that I didn't have myself. Half of the bank apps used pinned certs which means I could not even intercept traffic, as it blocked me as soon as it saw this new self-signed "man-in-the-middle" cert.
The first app that stood out as unsafe was the dating app "Happn." Clicking on a picture on the app allows you to see more information on your future ex-wife (or ex-husband). This we already know. It even gives an approximate GPS for where you passed this person last. Some people allow this much of an information leak as the price for getting a hot date. What they do not realize is that when you watch the data fly past on your new tool, you are presented with all the data you see on the screen, and also with the Facebook ID the person signed up with. Copy that number to the end of the Facebook URL and press Enter. You now have that person's full name, location, pictures, friend list, job locations.... Oh my - stalker's paradise.
The good (or bad) news is I have already told Happn about this and they have closed it down. I held off on publishing this article for almost a year for them to make the change. But that change is still not enough. The Facebook ID is still being sent - they send it as a Base64 encoded string in exactly the same way. As well as Base64, they have added a very small amount of encryption to it. This took me three minutes to work out.
YITM has another use. As well as learning what your favorite apps are sending back-and-forth, you can also mess with the data and see what it does. The software will normally allow you to specify text in the incoming or outgoing packets and change values in it.
Click on a profile and look at the data that comes with it.
Let's change:
"is_invited":false to "is_invited":true "is_accepted":false to "is_accepted":true "has_charmed_me":false to "has_charmed_me":trueA look through some of the other traffic will bring up other things to change. For example:
The power of YITM is sometimes limited by the code at the other end. You'll find that altering the incoming balance on your account may look nice when it displays, but you will not be able to use the fake coins as the server knows your real balance.
Go through your apps and see what they send. You will be surprised. Play with some values and see what you can make them do. Note: you may want to sign out of your real accounts and sign into some new fictitious accounts, so if they ban you for messing with the data stream, you do not lose access to your own data. Please do not steal or stalk with this newfound skill. If you do find a big data leak, tell the company so they can close it. They may even give you a bug bounty.