2

I noticed that using HTTP Toolkit, you can sniff all HTTPS communications in an unencrypted form, from browsers on Windows and Android OS, plus all applications on a rooted Android device or an emulator or via some workaround on a PC. All fields and data from headers, request bodies, and responses are intercepted without encryption.

I find this to be a significant security flaw as a hacker can easily analyze how an app communicates, thus gaining more knowledge on how the server communicates, plus seeing API keys in the headers.

In addition, installing some spyware to record entered credentials on his PC or a public PC, same way as HTTP Toolkit does.

Is there a reason this is allowed to happen in the first place? Is there a way to prevent this from happening?

Tim Perry
  • 11,766
  • 1
  • 57
  • 85
Mena
  • 3,019
  • 1
  • 25
  • 54

2 Answers2

3

It's explicitly allowed because it's extremely useful. It's how all kinds of debugging, testing, and profiling tools are implemented, as well as some kinds of ad blockers and other traffic modifiers.

It's possible because it cannot be prevented in the most general way. A user who fully controls a device can inspect all behavior and traffic on that device. That is what it means to control a device. Traffic is encrypted to protect the user, not to protect apps from their user. If seeing the API would significantly impact the security of the system, the system is already insecure.

Your concern that an attacker may take over a user's machine and observe them is valid, but is far deeper than this. An attacker who has administrative access to the system can observe all kinds of things; mostly commonly by installing a keylogger to watch what they type. There is no way to secure a device that an attacker has complete physical access to.

You can limit TLS sniffing using certificate pinning. Google does not recommend this because it's hard to manage. However, for some situations, it's worth the trouble. See also HTTP Toolkit's discussion on the topic.

You've found a good thing to study. I recommend digging into how HTTP Toolkit works. It will give you a much better understanding of what TLS does and doesn't provide.

Rob Napier
  • 286,113
  • 34
  • 456
  • 610
1

I don't think that is too serious. HTTP Toolkit can not intercept the your normal browser. It only creates a guest profile of browser, open and intercept it. This browser does not have related to your own browser and does not share between them.

The same thing happen in Selenium. Selenium is used widely for automated testing and can be integrated with python, C# and so on.

This also opens their own browser with separated profile and communicate with it from your test code.

Anyway, they can not intercept your normal browser.

If you are serious about the security, then you must not explore the websites with sensitive data via browser that is opened by the HTTP Toolkit or Selenium. Just use your normal browser.

devcrazy
  • 505
  • 5
  • 14