7

I have an android app that makes HTTPS connection to specific URL. Is there a way to keep this URL secret?

I know that the IP address and the port number of that connection can be detected, but what about the exact host name and more importantly the URI and/or the query string?

I don't mean just via router or via some other networking 'hack', but also by using some other android app or by using the eclipse plugin.

The app is native and I know how to obfuscate and hide the URL in the code, so it can't be seen by decompiling the app.

this.josh
  • 8,843
  • 2
  • 29
  • 51
ilija139
  • 173
  • 1
  • 1
  • 6
  • 2
    I'm not quite sure what you're looking for. Do you want to know how to check if this sort of information leakage is possible, or how to defend against it, or both? – Iszi Oct 18 '12 at 13:07
  • If possible, how to defend against it. – ilija139 Oct 18 '12 at 14:18
  • If someone else isn't sure what I'm asking, please see David Wachtfogel's answer. – ilija139 Oct 18 '12 at 14:22
  • 2
    Can you refine the question based on Mr. Wachtfogel's answer so that others can search for the question & answer? I suspect that you're not the only one who needs this information. – MCW Oct 18 '12 at 15:03
  • [Protect application from being modified](http://security.stackexchange.com/questions/5570/protect-application-from-being-modified) may also be of interest. – this.josh Oct 19 '12 at 05:52

3 Answers3

16

HTTPS (i.e. SSL/TLS) encrypts all HTTP communication including the entire URL. HTTPS does not protect the domain name as this is sent to the DNS in the clear, but it does protect the rest of the URL. Other apps don't have access to your app's SSL/TLS encrypted traffic including URLs. So as long as the SSL/TLS connection is setup securely an attacker won't be able to obtain you URI from the traffic.

But from the last sentence you wrote ("I know how to obfuscate and hide the URL in the code, so it can't be seen by decompiling the app") I understand that you need to protect the URL against an attacker who has full access to the device (e.g. the owner of the device). In this case you can't rely on SSL/TLS connection being secured as it's possible for the atttacker to install his on CA certificate on his device. This completely nullifies the security of SSL/TLS, as the attacker can impersonate your server and perform a man-in-the-middle attack - just like Alexey V. Borodin's hack on Apple in-app purchases. Even if you use a hardcoded SSL certificate the attacker can root the device and modify the O/S to output all SSL/TLS communications in the clear. So HTTPS will not protect your URIs from an attacker running your app on his own device.

David Wachtfogel
  • 5,522
  • 21
  • 35
  • 2
    This is not possible. The data which is shipped and used by your application cannot be made secret to the owner of the device (it can be obfuscated but you will be able to find it by dumping the memory of the device). If your application needs this to be secret for security then your design is broken. – ysdx Oct 18 '12 at 14:27
  • Worth noting, feeling I get is you're trying to protect URI strings that the user could use to falsify info on your server (submitting high scores on a game for example). The user could intercept the SSL connection and rewrite POST/GET data this way. Not sure how cert validation happens on Android but if it happens globally they could easily add their MITM CA root. Embedding your own certs would make things slightly trickier but again, de-obfuscating your code would still make URI forging *entirely* possible. – deed02392 Jan 17 '14 at 11:47
5
  1. Set up an ad-hoc network on a computer.
  2. Make your phone connect to the newly created network
  3. Use Wireshark to see what connections are made
Henning Klevjer
  • 1,835
  • 15
  • 20
  • 2
    To be boringly academic, the URL is considered public and should not require protection (if I remember correctly). You should try to put the critical data somewhere else. – Henning Klevjer Oct 18 '12 at 16:26
4

In an HTTPS connection the URL data is encrypted. The IP address and port of the server being connected to can be easily enumerated using a packet sniffer, so chances are if the URL can be sniffed the server isn't going to be a secret. Data transmitted within a https (ie SSL/TLS) connection is secret as long as there is no Man in the Middle, see previous discussions about that subject.

If the object is to try and prevent anyone from seeing what system the app is connecting to then the only conceivable way to do it is to tunnel the traffic through a VPN of some kind, and hope that any listener can't sniff the traffic coming out of the other side. Sending your traffic through some sort of anonymizer would accomplish this.

GdD
  • 17,321
  • 2
  • 41
  • 63