Michael fra wmp har også lagt et simpelt library ud til danske bank, denne gang i .NET med ca samme funktionalitet som mit eget php library, så der er noget for en hver smag for folk der gerne vil snakke direkte med banken :)
Selv er jeg ved at rode med en widget som viser de seneste 4-5 transaktioner så man kan have den på sin main screen, og i den forbindelse er det første spade stik taget til et android library tilgængeligt på github.
Det er enkelt at bruge:
Men det er frygteligt at tænke på - android library'et indtil vidre fylder ~480 linjer kode, mens php klassen tidligere nævnt kun fylder 88 linjer kode. Kanske jeg skal have læst op på java og android platformen :)
Wednesday, November 16, 2011
Monday, November 14, 2011
Danske Banks udokumenterede smartphone API
Halløj
Nu hvor jeg har fået sat min android emulator op så jeg kan læse krypteret ssl trafik mellem emulatorens applikationer og internettet, har jeg været ved at rode med Danske Banks Mobilbank app for at hitte ud af hvordan den snakker med banken, så jeg selv kan snakke med banken! Jubii.
Grundene til det er mange, men mest af alt lysten til at lære hvordan de har lavet kommunikationen også tilfredsstille personlige krav som f.eks:
Nu hvor jeg har fået sat min android emulator op så jeg kan læse krypteret ssl trafik mellem emulatorens applikationer og internettet, har jeg været ved at rode med Danske Banks Mobilbank app for at hitte ud af hvordan den snakker med banken, så jeg selv kan snakke med banken! Jubii.
Grundene til det er mange, men mest af alt lysten til at lære hvordan de har lavet kommunikationen også tilfredsstille personlige krav som f.eks:
- At have adgang til mine egne bank data, og gøre med dem hvad jeg vil.
- Lave et vækkeur der donere penge når man sover over
- Android widgets der viser ens balance eller måske 3-4 sidste transaktioner.
- Dashboard widgets med balance og transaktioner.
- Lave et stort led display til lejligheden der viser fælleskontoens balance - Så man let kan finde ud af om man skal gå ud og spise eller lave noget selv, desværre er de halv dyre, så det ender nok med at blive et meget lille lcd display :)
Der er flere tools der tilbyder at lave mitm attacks, wireshark, fiddler (desværre kun til windows) og så vidre, jeg har dog fundet Charles web proxy meget let at gå til specielt på mac'en, men hvis der er tale om andet end http(s) trafik er wireshark formentlig at fortrække.
Oven over ses et pr screenshots af hvordan det forgår, man starter først Charles op og enabler SSL proxying, starter sin emulator med parameteren -http-proxy fra dokumentationen og derefter sender den alt tcp trafik igennem charles.
Efter at ha luret lidt på hvordan den snakker med banken, lavede jeg mit eget lille terminal app som en slags proof of concept ... ting.
Appen er implementeret i php og skulle kunne køre direkte fra en hver Mac. (Eller andet grej med PHP 5.3 eller højere).
Kildekoden findes her: mobilbank.php og DanskeBank.php
Lad mig endelig høre om spændende brug af api'et :)
Make the Android Emulator ready for SSL MITM
Then investigating native android apps communication, you'll sometimes need to perform a man-in-the-middle attack on the apps, even though they communicate through SSL. Tools like Charles Webproxy makes this pretty easy.
However Charles "dummy" certificate need to be added to your android instance's cacerts.bks in order to make android apps trust the proxy. If you dont do this, you'll end up with https connection's telling you the certificate cant be trusted. e.g.:
Note: This should work with other proxy/sniffing tools as well, just find their certificate and add that instead.
The good news is this is easily done, you need to perform these steps:
Note: You'll need to start the emulator with the `emulator` tool found in the android sdk, appending `-partition-size 128` to it, else you cant write to the /system partition, even though remounting it read-write.
So lets walk through the steps
SDcard partition size
This is done in AVD Manager. Open it through Eclipse or by typing
Pull out the cacerts.bks file
This is done by issuing adb's pull command
This is done using keytool with the following command
Note: On the Mac, you'll maybe get an error about keytool not being able to find bouncycastle, fix this by getting the lastest provider from here and put it in your $JAVA_HOME/jre/lib/ext/. (On the Mac with Lion, thats `/System/Library/Frameworks/JavaVM.framework/Home/lib/ext/`.
Another Note: The charles-proxy-ssl-proxying-certificate.crt is found inside the Charles.app package, e.g `Charles.app/Contents/docs/charles-proxy-ssl-proxying-certificate.crt`.
Third Note: I dont know why the password is changeit, around the internets some have reported it to be "" e.g. nothing.
Push the cacerts.bks file back
First, remount the /system read-write.
Make it persistent (with a new system.img file)
This is done with a tool called, `mkfs.yaffs2.arm`. Download it here.
Push the mkfs.yaffs2.arm tool to your android instance.
Make a new system.img on the sdcard partition
Jump into the shell with:
It should output something like this:
mkfs.yaffs2: Android YAFFS2 Tool,Build by PowerGUI
at http://www.openhandsetalliance.org.cn
Building...
Build Ok.
Quit the shell and download the newly generated system.img.
Kill the emulator and boot the new system.img.
Just kill it or exit it in whatever way you see fit, when its closed, you can put your new system.img inside the instances folder.
On the mac its by default ~/.android/avd/<avdname>.avd/ . This is properly also true for linux boxes.
Note: My instance is called lille21, you've properly called yours something else.
Now your all ready and set
Boot your instance with
If your using Charles webproxy remember to enable SSL Proxying.
Ta da! No more certificate trust issues:
Final Note
Ive tried this on android 2.1 and 2.3, not sure if it works on honeycomb (3.0+).
Let me know if you find anything interesting when looking at your favorite app communication :)
However Charles "dummy" certificate need to be added to your android instance's cacerts.bks in order to make android apps trust the proxy. If you dont do this, you'll end up with https connection's telling you the certificate cant be trusted. e.g.:
But its actually more problematic then this security warning. If your just looking at the browsers SSL trafic, you'll properly be fine with just clicking Continue, but meny native apps won't communicate with the internet if it can't trust the certificate.
Note: This should work with other proxy/sniffing tools as well, just find their certificate and add that instead.
The good news is this is easily done, you need to perform these steps:
- Make sure your android instance's sdcard partition is large enough to hold the entire /system (its ~100M) 200M will do.
- Pull out the cacerts.bks file
- Add the certificate to it
- Push it back
- Make it persistent (so it works when the instance reboots)
Note: You'll need to start the emulator with the `emulator` tool found in the android sdk, appending `-partition-size 128` to it, else you cant write to the /system partition, even though remounting it read-write.
So lets walk through the steps
SDcard partition size
This is done in AVD Manager. Open it through Eclipse or by typing
android avdIn your terminal. Dont forget to start the emulator from the commandline with the -partition-size parameter mentioned above. Something like
emulator -avd lille21 -partition-size 128Where lille21 is the name of the instance.
Pull out the cacerts.bks file
This is done by issuing adb's pull command
adb pull /system/etc/security/cacerts.bks cacerts.bksAdd your certificate to cacerts.bks
This is done using keytool with the following command
keytool -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -importcert -trustcacerts -alias somealias -file charles-proxy-ssl-proxying-certificate.crt -nopromptThe above command should output something like:
Certificate was added to keystore
Note: On the Mac, you'll maybe get an error about keytool not being able to find bouncycastle, fix this by getting the lastest provider from here and put it in your $JAVA_HOME/jre/lib/ext/. (On the Mac with Lion, thats `/System/Library/Frameworks/JavaVM.framework/Home/lib/ext/`.
Another Note: The charles-proxy-ssl-proxying-certificate.crt is found inside the Charles.app package, e.g `Charles.app/Contents/docs/charles-proxy-ssl-proxying-certificate.crt`.
Third Note: I dont know why the password is changeit, around the internets some have reported it to be "" e.g. nothing.
Push the cacerts.bks file back
First, remount the /system read-write.
adb remountSecond, change the original file's permissions.
adb shell chmod 777 /system/etc/security/cacerts.bksThird, push the new cacerts.bks.
adb push cacerts.bks /system/etc/security/Now the file is in place, but you need to reboot the android instance in order to make it read your new file. (And if you reboot it now, you'll loose your new file, you need to make a new system.img file.
Make it persistent (with a new system.img file)
This is done with a tool called, `mkfs.yaffs2.arm`. Download it here.
Push the mkfs.yaffs2.arm tool to your android instance.
adb push Downloads/mkfs.yaffs2.arm /data/data/temp/mkfs.yaffs2Make it executable.
adb shell chmod 777 /data/data/temp/mkfs.yaffs2
Make a new system.img on the sdcard partition
Jump into the shell with:
adb shellInside the shell type:
/data/data/temp/mkfs.yaffs2 /system /sdcard/system.imgNote: Be sure about the sdcard mount location, on android 2.1 its /sdcard while on android 2.3 its /mnt/sdcard. Check it with the mount command inside the shell
It should output something like this:
mkfs.yaffs2: Android YAFFS2 Tool,Build by PowerGUI
at http://www.openhandsetalliance.org.cn
Building...
Build Ok.
Quit the shell and download the newly generated system.img.
adb pull /sdcard/system.img system.imgNote: Again, watch the sdcard's location!
Kill the emulator and boot the new system.img.
Just kill it or exit it in whatever way you see fit, when its closed, you can put your new system.img inside the instances folder.
On the mac its by default ~/.android/avd/<avdname>.avd/ . This is properly also true for linux boxes.
cp system.img .android/avd/lille21.avd/As far as i know you wont be overwriting anything, the emulator normaly loads a system wide "/system" partition found in your sdk directory, but then it finds the instance has its one, it will load that instead.
Note: My instance is called lille21, you've properly called yours something else.
Now your all ready and set
Boot your instance with
emulator -avd lille21 -http-proxy http://yourinterfaceip:8888And your ready to monitor all kinds of trafic from webpages and even native android applications!
If your using Charles webproxy remember to enable SSL Proxying.
Ta da! No more certificate trust issues:
Final Note
Ive tried this on android 2.1 and 2.3, not sure if it works on honeycomb (3.0+).
Let me know if you find anything interesting when looking at your favorite app communication :)
Wednesday, November 9, 2011
Hemmelig DBA api
Jeg besøger ofte Den Blå Avis når jeg leder efter diverse bras som jeg synes er for dyrt at handle nyt men DBA er efterhånden fuldstændigt forsvundet i alverdens reklamer og forhandler annoncer, for et halvt års tiden siden udgav DBA en Android app.
Ved tilfældighed opdagede jeg at app'en kommunikere med http://api.dba.dk/v1/, men deres webserver er snu og forlanger at man udgiver sig for at være 'iPhone' eller 'Android' i sin User-Agent header.
I virkeligheden var det nok bedre at finde en mere tro useragent, men deres parser er tilsyneladende glad hvis blot strengen indeholder endten iPhone eller Android.
Ved første øjekast har jeg fundet følgende endpoints på servicen:
http://api.dba.dk/public/v1/taxonomy
http://api.dba.dk/public/v1/ads
Den første returnere en række forskellige kategorier som man kan browse efter annoncer i, mens den anden er til at søge med, og tager en række parametre hvor af jeg ikke er sikker på hvad flere af dem gør, en af dem er dog lige ud af landevejen, nemlig q hvor man angiver hvad man vil søge efter.
Eksempel med curl:
curl -A 'iPhone' http://api.dba.dk/public/v1/ads?q=yamaha
Herunder et eksempel på de data man får:
Ved tilfældighed opdagede jeg at app'en kommunikere med http://api.dba.dk/v1/, men deres webserver er snu og forlanger at man udgiver sig for at være 'iPhone' eller 'Android' i sin User-Agent header.
I virkeligheden var det nok bedre at finde en mere tro useragent, men deres parser er tilsyneladende glad hvis blot strengen indeholder endten iPhone eller Android.
Ved første øjekast har jeg fundet følgende endpoints på servicen:
http://api.dba.dk/public/v1/taxonomy
http://api.dba.dk/public/v1/ads
Den første returnere en række forskellige kategorier som man kan browse efter annoncer i, mens den anden er til at søge med, og tager en række parametre hvor af jeg ikke er sikker på hvad flere af dem gør, en af dem er dog lige ud af landevejen, nemlig q hvor man angiver hvad man vil søge efter.
Eksempel med curl:
curl -A 'iPhone' http://api.dba.dk/public/v1/ads?q=yamaha
Herunder et eksempel på de data man får:
Jeg er spændt på hvad folk ka finde på at opfinde med dette api :)
Subscribe to:
Posts (Atom)