mitm | 👨🏼‍💻 ‎‎‎‏‏ A customizable man-in-the-middle TCP proxy | Proxy library

You could use Traefik reverse proxy v2.4+ with Traefik Pilot enabled and a plugin like Header transformation.

You run Traefik as a container which routes the traffic to the other containers. You can then link your instance to Traefik Pilot using a token, which enables plugins. If you use labels in a docker-compose.yml file:

http-status-code-302 refers to redirection. If ContentService is used, Google temporarily redirects the resource to a another domain to serve the content. This redirection is not performed when using HtmlService. So, if the issue is related to redirection, use HtmlService instead.

To prepare you for my answer I will first clear out some usual misconceptions around public/private APIs and about who vs what is really accessing your backend.

I often see that developers think that their APIs are private, because they have no docs for it, have not advertise it anywhere, and many other reasons.

The truth is that when you release a mobile app all the APIs it communicates with are now belonging to the public domain and if this APIs don't have an authentication and authorization mechanism in place then all data behind it can be accessed by anyone in the internet that reverse engineers how your mobile app works. Even when APIs have authentication in place they may be vulnerable to bad implementations of it and some have a total lack of authorization mechanisms or buggy ones as per OWASP API Security Top 10 vulnerability list.

I wrote a series of articles around API and Mobile security, and in the article Why Does Your Mobile App Need An Api Key? you can read in detail the difference between who and what is accessing your API server, but I will extract here the main takes from it:

The what is the thing making the request to the API server. Is it really a genuine instance of your mobile app, or is it a bot, an automated script or an attacker manually poking around your API server with a tool like Postman?

The who is the user of the mobile app that we can authenticate, authorize and identify in several ways, like using OpenID Connect or OAUTH2 flows.

So think about the who as the user your API server will be able to Authenticate and Authorize access to the data, and think about the what as the software making that request in behalf of the user.

I know about MitM attacks, but would it be safer (and more flexible) to have my mobile app calling my API to get API keys on request thru HTTPS? This way, no sensitive info remains in the app binary files.

While you indeed don't have any sensitive info in the app binary files you haven't solved the problem. In my opinion you are more exposed, because you are now getting the API keys from an public and open API endpoint.

I say it's open because you don't have any safeguard that what is making the request to it are indeed a genuine and untampered version of your mobile app.

So, now all an attacker needs to do is to MitM attack your mobile app or decompile it to see from which API endpoint you grab the API keys to make the requests, and then replicate the procedure from their automated scripts/bots, therefore doesn't really matter that you don't have them hardcoded in the app binary any more.

And to secure MitM attacks, I could frequently change those API key values so they would remains valid only on a short period of time.

In light of the above explanation , on the API Keys Service section, you can even make the API keys restricted to be used only for one single request that the attacker will still succeed, because the attacker will be able to query the API endpoint to obtain API keys as if he was what the backend expects, a genuine and untampered version of your mobile app.

So, to be clear I am in favour of API keys rotation but only if you can get them into your mobile app from a secured external source, but your approach is open to be accessed by anyone on the internet.

I would like to hear anyone about PROS and CONS of such a system.

The system you are describing is not advisable to implement, because without being secured it's just a security disaster asking to occur. Securing it with an API key it's just going back to the initial problem with the disadvantage that your giving back to the mobile the sensitive info you want to keep away from hackers.

The best approach for you is to use a Reverse Proxy to keep the API keys private and secured from prying eyes.

So, from that point of view, I would like to know if it wouldn't be "safer" to get those sensitive info (i.e. API keys) from an external server (i.e. Rest API).

What you are looking for is to implement a Reverse Proxy, that is usually used to protect access to third party APIs and your own APIs, by having the mobile app delegating the API requests to the Reverse Proxy, instead of asking for the API keys to make them from inside the mobile app.

The Reverse Proxy approach will avoid to have several API keys harcoded in the mobile app, but you still need one API key to protect access to the Reverse Proxy, therefore you are still vulnerable to the MitM attacks and to static reverse engineering of your mobile app.

The advantage now is that all your sensitive API keys are private and in an environment you can control and employ as many security measures you need to ensure that the request are indeed from what your backend expects, a genuine and untampered version of your mobile app.

Learn more about using a Reverse Proxy by reading the article I wrote Using a Reverse Proxy to Protect Third Party APIs:

In this article you will start by learning what Third Party APIs are, and why you shouldn’t access them directly from within your mobile app. Next you will learn what a Reverse Proxy is, followed by when and why you should use it to protect the access to the Third Party APIs used in your mobile app.

While the article focus on third party APIs the principle also applies to use with your own APIs.

When certificate pinning is implemented in a mobile app to secure the https channel then the sensitive data on the API requests is more safeguarded from being extracted.

I recommend you to read the section Preventing MitM Attacks in this answer I gave to another question where you will learn how to implement static certificate pinning and how to bypass it.

Despite being possible to bypass certificate pinning I still strongly recommend it to be implemented, because it reduces the attack surface on your mobile app.

I recommend you to read this answer I gave to the question How to secure an API REST for mobile app?, especially the sections Hardening and Shielding the Mobile App, Securing the API Server and A Possible Better Solution.

The solution will be the use of a Mobile App Attestation solution that will allow your backend to have an high degree of confidence that the request is from what it expects, a genuine and untampered version of your mobile app.

In any response to a security question I always like to reference the excellent work from the OWASP foundation.

OWASP API Security Top 10

The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.

OWASP Mobile Security Project - Top 10 risks

The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.

OWASP - Mobile Security Testing Guide:

The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.

I ended up doing a modified version of Amazon AWS S3 service API authentication. This works just fine. The cost is that there's an HMAC calculated with every request, and the request body has to be used twice.

I assume that your question is in the context of mobile apps, thus my answer will show how to protect against a MitM attack for APIs serving mobile apps and how it can be bypassed.

How does facebook/ instagram protect their users against MITM type hacks?

Do they even protect the users? Or they assume that any possible attacks should be shouldered by users?

This questions are best answered by an insider at Facebook/Instagram or from a security researcher that have done extensive work on their mobile apps and APIs.

Sorry for not being able to elucidate you here.

How would someone go about preventing MITM type attacks against API secrets/ API keys?

This one I am able to help you with and the quick reply its by using certificate pinning against the certificate public key, and we will go in more detail below.

In a first instance you will want to secure the HTTPS communication channel by configuring the mobile app to only establish a connection with the API, during the TLS handshake, if it presents the certificate issued for its domain and that is known and trusted by the mobile app, ignoring any other that may still be valid as per validation against the certificate trust store of the device. I go into more detail about it and how to implement it on the article I wrote Securing HTTPS with Certificate Pinning:

In order to demonstrate how to use certificate pinning for protecting the https traffic between your mobile app and your API server, we will use the same Currency Converter Demo mobile app that I used in the previous article.

In this article we will learn what certificate pinning is, when to use it, how to implement it in an Android app, and how it can prevent a MitM attack.

From the same article I will quote:

The easiest way to pin is to use the server’s public key or the hash of that public key, The hashed public key is the most flexible and maintainable approach since it allows certificates to be rotated in the server, by signing the new one with the same public key. Thus the mobile app does not have to be updated with a new pin because the hash for the public key of the new certificate will continue to match the pin provided in the network security config file. We will see an example of this later when we talk about how to setup certificate pinning.

The easiest and quick way you can go about implementing static certificate pinning in a mobile app is by using the Mobile Certificate Pinning Generator that accepts a list of domains you want to pin against and generates for you the correct certificate pinning configurations to use on Android and iOS.

Give it a list of domains to pin:

And the tool generates for you the Android configuration:

And the iOS configuration too:

The tool even as instructions how to go about adding the configurations to your mobile app, that you can find below the certificate pinning configuration box. They also provide an hands on example Pin Test App for Android and for iOS that are a step by step tutorial.

It's important that any developer that decides to implement certificate pinning in their mobile apps also understands how it can be bypassed in order to learn the threat model and evaluate if further protections are needed to prevent certificate pinning bypass.

I wrote two articles on how to bypass certificate pinning on Android where you can learn in one of them how to do it by extracting, modifying and repackaging the APK, while in the other article you learn how to use the Frida instrumentation framework to hook at runtime into the mobile app in order to bypass certificate pinning:

Bypassing Certificate Pinning on Android via APK

In this article you will learn how to repackage a mobile app in order to make it trust custom ssl certificates. This will allow us to bypass certificate pinning.

How to Bypass Certificate Pinning with Frida on an Android App:

Today I will show how to use the Frida instrumentation framework to hook into the mobile app at runtime and instrument the code in order to perform a successful MitM attack even when the mobile app has implemented certificate pinning.

Bypassing certificate pinning is not too hard, just a little laborious, and allows an attacker to understand in detail how a mobile app communicates with its API, and then use that same knowledge to automate attacks or build other services around it.

Despite being possible to bypass certificate pinning I still strongly recommend you to implement it in your mobile app, because it reduces a lot the attack surface of your mobile app.

Being aware of how certificate pinning can be bypassed gives you the insights to decide if further protections are needed to be in place. Dynamic certificate pinning and Runtime Application Self-Protection(RASP) may be the next steps to take in your security ladder.

You can force mitmproxy to generate a totally new root CA certificate by simply deleting the old one.

Mitmproxy stores the root CA certificate and it's key in the directory ~/.mitmproxy (mitmproxy config directory in your home directory on the computer running mitmproxy).

If you rename or delete that directory and restart mitmproxy a new root-CA certificate will be generated.

Then you can install this new certificate as usual via http://mitm.it

Your approach is correct and should work if done correctly. Although FYI it doesn't entirely protect from MitM -- ssh-keyscan itself uses an unverified connection and is vulnerable to MitM, although if that connection is legit, checking the key prevents faking on later connections. This is a form/variant of SSH's common 'ToFU' (Trust on First Use) security model.

From my basic understanding, the known_hosts file contains a key. ...

In general, known_hosts contains a mapping from host identities (names and/or IP addresses) to keys. But if your file was created only as you show, it has only one mapping entry containing only one key.

1. make sure you pass the correct path to setKnownHosts, and run as the correct (same) user. If the path you specify cannot be opened (either does not exist or access not allowed) Jsch does NOT throw any error, it just returns without loading anything. You might instead open the file yourself with new FileInputStream(pathstring) and pass to the setKnownHosts(InputStream) overload, so you get an exception if the open fails.

2. make sure you are using the same host identity. If e.g. a host has multiple names (like cloud servers often do) and you use one in ssh-keyscan but a different one in JSch then even though this is actually the same host and key it won't match. But if you are actually using IP addresses in both places, at least if you mean IPv4, this is less likely because very few machines today have multiple public IPv4 addresses. (In the past this was more common and called multihoming.) IPv6 is more possible; most IPv6 machines have both transient and permanent public addresses (as well as local/private ones), and often multiple transients.

It looks like you want to use response.text or response.content, not response.raw_content. raw_content contains the raw compressed HTTP message body, whereas .content contains the uncompressed version.

Append your self-signed cert to /etc/ssl/certs/ca-certificates.crt manually.

Assuming you have the self-signed certificate in a file in your build directory called my-cert.pem: