Apr 19, 2016 Burp Suite is a great network monitoring tool for testing and debugging – I use it everyday and cannot imagine my current workflow without it. What I lack is the ability to log application traffic for 24 hours a day and on devices I don’t have access to (e.g. Clients’ or beta testers’ devices). Burp Suite is a Java program, so when it downloads, you'll see a directory with a JAR file in it. If you double click that, it should start up after a warning about an untested JVM version.
This blog post is for everybody that would like to follow a methodology for intercepting the network communication between a mobile app and it’s API’s.
You might think now: What’s the problem here? I make the listener of Burp Suite available on my external interface, install the Burp CA on the mobile device, set the system proxy in iOS and/or Android to point to Burp and case closed.
This is definitely true and you can simply follow the fantastic documentation from Portswigger to configure everything, but this will only cover the „ideal“ case!
But what about the following use cases:
- The app is being build in Flutter or Xamarin. If that’s the case the app will not be using the system proxy, but bypass it. So the Proxy you are setting in iOS and/or Android will be ignored by the app.
- Not every app is relying on HTTP; especially to overcome the overhead of HTTP, TCP might be used. You can also see sometimes XMPP or other protocols. As the system proxy that you are setting in iOS and/or Android will only be covering HTTP(S), other protocols will never be sent to Burp and even if you find a way to route them to Burp, Burp will not be able to process and display them as Burp can only understand HTTP.
- You might not be able to use a jailbroken / rooted device in the client’s network.
- I even had cases in the past where I could only connect my laptop, but couldn’t connect my mobile device to the WiFi as the WiFi was “full” and no other devices could connect to it…
These are only same of the challenges you might be facing when trying to intercept the communication of a mobile app to become a Man-in-the-Middle.
So what can we do tackle all potential use cases?
I tried to cover all of them in the following decision tree.
To give a bit more context around it (the color coding of the bullet points maps to the boxes in the flow diagram):
- iOS – Create a SSH Tunnel(jailbroken device needed): In case you cannot connect to the Wifi with your iOS device, you can apply the following trick to route your HTTP traffic via USB to your Burp: https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06b-basic-security-testing#using-burp-via-usb-on-a-jailbroken-device
- Android – Use ADB Reverse (rooted device needed): In case you cannot connect to the Wifi with your Android device, you can apply the following trick to route your HTTP traffic via USB to your Burp: https://mobile-security.gitbook.io/mobile-security-testing-guide/android-testing-guide/0x05b-basic-security_testing#client-isolation-in-wireless-networks
- If have configured the proxy on your mobile device and you can see the traffic from your mobile browser but not from the mobile app, you would need to analyse the network traffic first to decide what to do next. I summarised this into another blog post: https://bsddaemonorg.wordpress.com/2021/01/31/capture-network-traffic-from-mobile-devices/
- If the traffic is NOT based on the HTTP protocol, you would need to get your hands dirty and dive a little bit deeper into the communication and you should consider using the NoPE Proxy extension for Burp Suite. I summarised this into another blog post: https://bsddaemonorg.wordpress.com/2021/02/03/intercepting-non-http-network-traffic-of-mobile-apps/
If the traffic is based on HTTP, but you cannot intercept it even though you configured the proxy in iOS and Android, a mobile framework such as Flutter (from Google) or Xamarin (from Microsoft) is being used and the app is not relying on the system proxy of Android or iOS. You can tackle this problem easily for Android and also iOS:
- For Android you can simply use iptables on your rooted device to force the HTTP traffic to be sent to your Burp listener: https://mobile-security.gitbook.io/mobile-security-testing-guide/android-testing-guide/0x05b-basic-security_testing#non-proxy-aware-apps
- If you have an iOS device you would need to rely on more generic network interception techniques to sent the HTTP traffic to your Burp listener. There are many options (bettercap to do ARP Spoofing, creating your own access point or VPN etc.), but one easy way would be DNS Spoofing by using the NoPE Proxy Burp Extension. Simply follow the basic setup for mobile testing in the NoPE documentation.
Burp Suite For Mac
This should make your network setup work and enable you to become Man-in-the-middle in all scenarios you might be facing when testing mobile apps!
As additional visualisation you can find another version of the decision tree and play the following game to become a “Squirrel-in-the-middle” 🙂
Happy hacking 🙂
From checkra1n to Frida: iOS App Pentesting Quickstart on iOS 13
Updated April 19, 2020: – Install OpenSSH through Cydia (ramsexy) – Checkra1n now supports Linux (inhibitor181) – Use a USB Type-A cable instead of Type-C (c0rv4x)
Updated April 26, 2020: – Linux-specific instructions (inhibitor181)
Updated August 14, 2020: – Burp TLS v1.3 configuration
Burp Suite Api Testing
I wanted to get into mobile app pentesting. While it's relatively easy to get started on Android, it's harder to do so with iOS. For example, while Android has Android Virtual Device and a host of other third-party emulators, iOS only has a Xcode's iOS Simulator, which mimics the software environment of an iPhone and not the hardware. As such, iOS app pentesting requires an actual OS device.
Moreover, it's a major hassle to do even basic things like bypassing SSL certificate pinning. Portswigger's Burp Suite Mobile Assistant needs to be installed onto a jailbroken device and only works on iOS 9 and below.
For the longest time, iOS pentesting guides recommended buying an old iPhone with deprecated iOS versions off eBay. More recent efforts like Yogendra Jaiswal'sexcellent guide are based on the Unc0ver jailbreak, which works on iOS 11.0-12.4. If you don't have an iDevice in that range, you're out of luck.
Fortunately, with the release off the checkra1n jailbreak, A5-A11 iPhone, iPad and iPods on the latest iOS can now be jailbroken. Many iOS app pentesting tools, having lain dormant during the long winter of jailbreaking, are now catching up and new tools are also being released.
As such, I'm writing quickstart guide for iOS app pentesting on modern devices with the checkra1n jailbreak and consolidating different tools' setup guides in one place. I will follow up with a post on bugs I've found on iOS apps using the tools installed here.
Let's start with the basics. You need an A5-A11 iDevice, preferably an iPhone. I used an iPhone 8. Thanks to checkra1n, you don't really have to worry about the iOS version; as of now, it supports the latest iOS 13.3. Other than macOS, checkra1n also supports Linux.
WarningDavinci premiere. : Jailbreaking your iDevice significantly weakens your security posture. You should not be doing this on your primary device. In fact, you should not use the jailbroken device for anything other than pentesting.
Please jailbreak your device with a USB-A cable as USB-C jailbreaks have caused issues.
Take note that checkra1n is a semi-tethered jailbreak; every time you restart the iPhone, the jailbreak is lost, so you have to do this again.
- Download the latest checkra1n jailbreak at https://checkra.in/
- Connect your iPhone to your macOS device and open checkra1n with Applications → Right click checkra1n → Open.
- Unlock your iPhone and click “Start” in checkra1n
- Follow the rest of the steps in checkra1n and restart as necessary
For Linux, follow the instructions here to install checkra1n before proceeding to open it and run the same steps to jailbreak your iPhone.
Congrats! You have a jailbroken iPhone. Let's get down to business.
This is super simple. On the jailbroken iPhone, open up the checkra1n app, then click “Cydia” in the “Install” section.
Now you have Cydia and can install several packages that will help in your testing. More on that later.
While you can SSH into your iPhone over the wireless network, it's a lot faster and more reliable to do that over USB.
On your iPhone, go to the Cydia store and install the OpenSSH package. After installing, it should restart Springboard.
Back on your connected macOS devices, run:
brew install libusbmuxd(
apt-get install libusbmuxd*for Linux)
iproxy 2222 22(
iproxy 2222 44for Linux)
- In another terminal, run
ssh [email protected] -p 2222
- For the password, enter
- You should now have an SSH session in your iPhone
One perk is that you can also transfer files to and from your iPhone over SFTP using a client like FileZilla. Just select the SFTP protocol, set your host to
localhost and port to
Frida and Objection
It's time to install my two favorite mobile app testing tools, Frida and Objection. I won't go through in detail about their usage here, just the set up. Frida has an iOS guide I will refer to.
- On your macOS device, run
pip3 install frida-tools
- On your iPhone, open Cydia and add Frida’s repository by going to Sources → Edit → Add and enter
- Go to Search → Enter
- Back on your macOS device, run
pip3 install objection
- Finally, run
objection --gadget 'com.apple.AppStore' exploreto check that everything is integrated properly
Proxy Traffic and Bypass Cert Pinning
Proxying traffic through Burp Suite is fairly standard; follow the steps outlined in Yogendra Jaiswal's post. Recently, Burp Suite added the option to disable TLSv1.3 in version 2020.4, which helps iOS trust your custom certificates.
- On Burp Suite, go to Proxy → Options → Proxy Listener → Add → Bind to port: 1337 → Bind to address : All interfaces (or select a Specific Address) → TLS Protocols → Use Custom Protocols → Uncheck TLSv1.3 → “OK”
- On your iPhone, Settings → Wi-Fi → Info → Configure Proxy → Manual → Set server and port to the ones from the previous step
- On your iPhone, go to
http://burp→ Click “CA Certificate” → Download profile → Settings → General → Profiles & Device Management → Portswigger CA → Install
Now traffic should be proxied through Burp – except for apps that utilize certificate pinning. Fortunately, the SSL Kill Switch 2 certificate pinning bypass tool was recently updated to support iOS 13.
- Make sure you have the following packages installed in Cydia:
- Go to the SSL Kill Switch 2 release page and copy the link to the latest
- SSH into your iPhone (see the iProxy section above) and run
wget <RELEASE URL FROM STEP 2>→
dpkg -i <DOWNLOADED PACKAGE NAME>→
killall -HUP SpringBoard→
rm <DOWNLOADED PACKAGE NAME>
- On your iPhone, go to Settings → SSL Kill Switch 2 (it should be at the bottom) → Disable Certificate Validation
You should be good to go.
Bypass Jailbreak Detection
Jailbreak detection is annoying but solvable. Of all the packages that support iOS 13, I've found that the Liberty Lite Cydia module works the most consistently.
- On your iPhone, open Cydia and add module author Ryley Angus’ repository by going to Sources → Edit → Add and enter
- Go to Search → Enter
Liberty Lite→ Install
- Once installed, go to Settings → Liberty → Block Jailbreak Detection → Enable for the app you want to bypass
Kill and re-open your app. If it's still not bypassed, you can try other modules.
Dump App Files
Unlike Android apk files, iOS apps are stored as encrypted ipa files, preventing easy access and analysis. Having installed
iproxy and Frida, we can use frida-ios-dump to do this at runtime.
- On your macOS device,
git clone https://github.com/AloneMonkey/frida-ios-dump.git && cd frida-ios-dump
sudo pip3 install -r requirements.txt --upgrade
- In another terminal, run
iproxy 2222 22if it's not already running
- To dump an app's file,
./dump.py <APP DISPLAY NAME OR BUNDLE IDENTIFIER>
Typically, I like to symlink to my tools so it's easily accessible from my PATH with
ln -s <ABSOLUTE PATH TO dump.py> /usr/local/bin/dump-ipa. Now whenever I want to dump an app I can use the
dump-ipa command anywhere.
With this quickstart guide, you now have the basic tools set up to begin iOS app pentesting, from searching for secrets in the app files, to hooking classes, and of course testing the web API. Best of all, this is on modern iOS hardware and versions.
I hope this guide is helpful for those looking to set up their iOS testing labs. I will be following up with a writeup on several bugs I've found with these tools and hopefully point towards typical issues to look out for.