Android Question hiding url parameters through obfuscation

[apty]

i have a project where i send a request to a server and get a response. The request requires API keys and password. When i obfuscate the password and key, i still can see them using an app like Packet Capture when sending a request. Is there any way i can hide this sensitive information? the server is ssl enabled but i still can see everything sent to the server

 

[KMatle]

Do you really use https in your call?

 

[apty]

yeah. I do. Infact the API is for an airline company which uses https. But Packet Capture can capture packets sent via https also and show the entire string sent from the app

 

[OliverA]

But Packet Capture can capture packets sent via https also and show the entire string sent from the app

What? With SSL? No way. Unless you’re accepting untrusted certs and are suffering from a man in the middle. If you have a proper ssl connection and still can capture the traffic unencrypted, you’ve just destroyed the reasoning for SSL.

 

[apty]

The api belongs to Aerocrs. I don't think the ssl for their api connection is untrusted.

 

[DonManfred]

How are you calling the Api? Show us some example code

Using ssl you should use POST Requests. Use Post-Values (multipartpost for ex).

If i remember correctly only the URL (plus GET Values) can be captured. All content (the post values) are encrypted.
Correct me if i´m wrong

Using

dim j as httpjob
j.initialize("Jobname",me)
j.download("https://mywebpage.com/accesspoint.php?user=John&password=doe")

The values of user and john are NOT encrypted.

But using them as POST Values they are Encrypted.

 

[apty]

well, i call it as below. I am passing xml

job2.PostString("https://connect.aerocrs.com/v3/", retdate)
    job2.GetRequest.SetContentType("text/xml; charset=utf-8")

The retdate is an xml file. Everything works well and i get a response, the only problem is i can see the entire xml using Packet Capture. The xml is stored in dirassets but it doesn't have api keys. I add api keys inside the code in Process_Globals and i thought obfuscation will hide them

 

[Erel]

The compiler obfuscation feature will never change the string values. Only how they are stored in the compiled code.

If you are not accepting untrusted certificates then the data sent is secured. You haven't provided any information about the program you are using to monitor the traffic.

 

[apty]

The program is called Packet Capture, its an Android app from the Google playstore. For the certificates, i am just using the api from Aerocrs the way it is, and its secured

 

[Erel]

Make it easier for us to try to help you.

- Post a link to the Android app.
- Explain what is Aerocrs.
- Tell us whether you are accepting unrecognized certificated.

What have you done to allow this app to work? I have a feeling that you either set it as a VPN or allowed it to install a new certificate authority.

 

[apty]

Kindly see below responses:

Packet Capture App Link-https://play.google.com/store/apps/details?id=app.greyshirts.sslcapture&hl=en

Aerocrs is an API for airline bookings (for booking tickets and paying for them)

For the app to work, i set it as vpn and allowed it to install a new certificate. However i have other apps in my phone that use APIs and if i try to capture their packets, i can't. I can only capture packets for my app. The reason i allowed the app to work as vpn and install its own certificate is because i want to test fully if my API keys are safe.

 

[MarkusR]

about Packet Capture it wrote
Features
- SSL decryption using man-in-the-middle technique.

its like
App - SSL - App - SSL - App

i think you need/use a certificate authority certificate for server & client.