Android Question hiding url parameters through obfuscation

A

apty

Active Member
Licensed User
Longtime User
i have a project where i send a request to a server and get a response. The request requires API keys and password. When i obfuscate the password and key, i still can see them using an app like Packet Capture when sending a request. Is there any way i can hide this sensitive information? the server is ssl enabled but i still can see everything sent to the server
 
Sort by date Sort by votes
A

apty

Active Member
Licensed User
Longtime User
yeah. I do. Infact the API is for an airline company which uses https. But Packet Capture can capture packets sent via https also and show the entire string sent from the app
 
Upvote 0

OliverA

Expert
Licensed User
Longtime User
apty said:
But Packet Capture can capture packets sent via https also and show the entire string sent from the app
Click to expand...
What? With SSL? No way. Unless you’re accepting untrusted certs and are suffering from a man in the middle. If you have a proper ssl connection and still can capture the traffic unencrypted, you’ve just destroyed the reasoning for SSL.
 
Upvote 0
A

apty

Active Member
Licensed User
Longtime User
The api belongs to Aerocrs. I don't think the ssl for their api connection is untrusted.
 
Upvote 0

DonManfred

Expert
Licensed User
Longtime User
How are you calling the Api? Show us some example code

Using ssl you should use POST Requests. Use Post-Values (multipartpost for ex).

If i remember correctly only the URL (plus GET Values) can be captured. All content (the post values) are encrypted.
Correct me if i´m wrong

Using
B4X: 
dim j as httpjob
j.initialize("Jobname",me)
j.download("https://mywebpage.com/accesspoint.php?user=John&password=doe")
The values of user and john are NOT encrypted.

But using them as POST Values they are Encrypted.
 
Upvote 0
A

apty

Active Member
Licensed User
Longtime User
well, i call it as below. I am passing xml
B4X: 
job2.PostString("https://connect.aerocrs.com/v3/", retdate)
    job2.GetRequest.SetContentType("text/xml; charset=utf-8")

The retdate is an xml file. Everything works well and i get a response, the only problem is i can see the entire xml using Packet Capture. The xml is stored in dirassets but it doesn't have api keys. I add api keys inside the code in Process_Globals and i thought obfuscation will hide them
 
Upvote 0
A

apty

Active Member
Licensed User
Longtime User
The program is called Packet Capture, its an Android app from the Google playstore. For the certificates, i am just using the api from Aerocrs the way it is, and its secured
 
Upvote 0

Erel

B4X founder
Staff member
Licensed User
Longtime User
Make it easier for us to try to help you.

- Post a link to the Android app.
- Explain what is Aerocrs.
- Tell us whether you are accepting unrecognized certificated.

What have you done to allow this app to work? I have a feeling that you either set it as a VPN or allowed it to install a new certificate authority.
 
Upvote 0
A

apty

Active Member
Licensed User
Longtime User
Kindly see below responses:

Packet Capture App Link-https://play.google.com/store/apps/details?id=app.greyshirts.sslcapture&hl=en

Aerocrs is an API for airline bookings (for booking tickets and paying for them)

For the app to work, i set it as vpn and allowed it to install a new certificate. However i have other apps in my phone that use APIs and if i try to capture their packets, i can't. I can only capture packets for my app. The reason i allowed the app to work as vpn and install its own certificate is because i want to test fully if my API keys are safe.
 
Upvote 0

MarkusR

Well-Known Member
Licensed User
Longtime User
about Packet Capture it wrote
Features
- SSL decryption using man-in-the-middle technique.

its like
App - SSL - App - SSL - App

i think you need/use a certificate authority certificate for server & client.
 
Last edited:
Upvote 0
You must log in or register to reply here.

Similar Threads

  • Question
Android Question SimpleMediaManager - how to authenticate url?
Replies
2
Views
569
andyr00d
  • Question
Android Question Make password visible
Replies
9
Views
2K
josejad
  • Question
Android Question How to check username and decrypted password in the login form?
Replies
2
Views
2K
cklester
I
  • Question
Android Question Web Client/Web Page decode
Replies
4
Views
1K
iCAB
I
  • Question
Android Question A way to hide the url ?
Replies
6
Views
2K
udg
Menu
Log in
Register
Cookies are required to use this site. You must accept them to continue using the site. Learn more…