Wednesday, May 02, 2012

Debugging OAuth2 SSL Connections

Debugging SSL protected protocols like oauth2 can be a problem but it is not entirely impossible nor hard to do.

One way to do it is to spoof the certificates the protocol relies on to protect the communication. The certificates are used by the client to verify that the server is the endpoint it is supposed to be talking to and to encrypt the communication. A good description for the Android operating system is given in this blog post (Intercepting and decrypting SSL communications between Android phone and 3rd party server). Nobody can blame Android for being picked here as an example and ways to do this exist for all operating systems. Yes, to install the certs you need root access; but it well may be that you have that and want to help a friend to debug their installed application on your phone. Even if the client is running on a server it may be worthwhile to debug the network traffic to find certain errors in the client implementation. An error specific to an oauth implementation might be that your friend has a typo in the cliend_id or client_secret and the authorization server is rejecting requests because of that.
It might be hard for you to verify client_id and client_secret by analyzing the client. Maybe they are stored on a UICC or stored encrypted in the file system (and the keystore password is not "changeit") and are only decrypted and used when a resource owner uses the client.
By analyzing the SSL traffic you can help to find this kind of bug and all other related to protocol issues.

But maybe you don't have an SSL server to capture the plain text from an SSL connection?! Then another path you might take is to swap the client's SSL implementation with your own. You don't have to change the client's code or analyze the client's memory. Building your own version of most operating systems with your own SSL implementation is not that hard to do. Or maybe you can just register your SSL implementation to be used with all client code? Or you can swap a library?
There are more ways to achieve your goal.

But make sure that you have your friend's permission first. Not everybody might be happy with the fact that you now know the client_id and client_secret.

Have fun!


No comments: