What if I told you that every time you go to a website or open up an app, there is a company that you have never heard of that is collecting information about you? What if I told you that this website or app that you are trusting, is likely knowingly sharing your personal information? What if I told that the majority of websites and apps have no idea how to implement basic security practices that leave them hackable to anyone?

My name is Max and I’m a Computer Science & Public Policy major. I spent the summer of 2015 learning about privacy and security. After diving into the weeds and seeing the state of the field, I was shocked at how little the average consumer knows about what companies can and are doing to their customer’s data. Think about those questions I asked above again. What if that company has your Social Security Number? What if it has your personal health data?

An illustration from Lifehacker.com

I personally believe that consumers should have a right to own their own data and should have a right to know who is using their personal information and for what. It is for that reason that I would like share a free and open source tool called Mitmproxy that can be downloaded by anyone to investigate the privacy and security practices of companies. The tool takes 10 minutes to install and a few extra to learn what you are doing. After you will be fully equipped to catch companies collecting data about you without your permission. If you have already downloaded Mitmproxy and want to learn how to analyze the data that you are looking at, please visit Part 2: How To Analyze Mitmproxy.

But what is Mitmproxy? Mitmproxy is a network analysis tool for learning about the behind the scenes of who sends what where on your phone or computer. The name Mitmproxy comes from a type of hacker attack called a Man-in-the-Middle attack (MITM) where the attacker gets “on the wire” and looks at the information being sent back and forth — because they’re in the middle of the communication.

This guide assumes that you have a Mac computer purchased in 2012 or later (or that you have OS X Mountain Lion or newer) or a Linux Computer and, if you want to analyze the behind the scenes of mobile applications, that you have an iPhone or Android phone connected to Wi-Fi. Not necessary, but you can also connect as well if you have an Ethernet instead of Wi-Fi. If you have a Windows computer you can use a similar tool called Fiddler. The setup time for Mitmproxy, if you have none of the necessary components already installed could take up to 15 minutes. But after first time installation, it will only take 30 seconds to get going for consecutive sessions. I would strongly recommend doing a bit of reading about the use of the Terminal (Mac) or Konsole (Linux) application because we will be executing lines of code from these applications. They are already installed on your computer. Try here. If ever you receive an error message and one of the setup steps could not be completed, by copy/pasting the error message into a Google search, there will be many resources to troubleshoot the problem.

The following is a step-by-step guide for learning how to install Mitmproxy.

How Mitmproxy Works

The way Mitmproxy works is by sitting in the middle of the connection between your phone or computer, and the internet at large. Checkout this nice diagram made by Phillip Heckel on his blog post on Mitmproxy.

The communication route for how Mitmproxy intercepts traffic

While this diagram may be confusing at first, it will make sense as time goes along. Essentially we are going to, in the case of looking at the traffic between your mobile application and the internet at large, tell your phone to send all information to Mitmproxy and then tell Mitmproxy to send all information to the internet at large, which will then send back information and on and on. Remember that your phone and computer send information to a router, who then directs it to the company’s servers of the website or mobile application you are trying to interact with. Something that makes Mitmproxy special is its ability to decrypt SSL encrypted or HTTPS traffic for you to see. As most companies move towards sending information over HTTPS, the information is sent all jumbled up so attackers cannot see it. But this traffic, sent in little bursts called packets, could be the juiciest information for us, the consumers, to analyze. So Mitmproxy unencrypts it for us by installing a certificate (let’s call it a bribe) on your phone or computer such that is sends Mitmproxy the information in easy-to-read English. Companies have even begun to be trickier (this is a good security practice!) and told their mobile applications not to trust Mitmproxy or anyone’s certificates except their own — called certificate pinning. This guide also gives you a way to break certificate pinning so you can still see the traffic flow.

Here is a quick glance of what Mitmproxy looks like in action — don’t get scared, it will make sense in just a few mintues!