Burp Suite Professional for Mobile Application Security Testing (Mobile AST), will be the topic to discuss in depth in this post.
Typical question being asked, can you use Burp Suite Professional for performing mobile applications security testing (Mobile AST)? The quick and direct to the point answer is YES with jailbroken device involved. What you need to do is to configure the mobile device to proxy its traffic via Burp Proxy. After that, you can then intercept, view, and modify all of the HTTP/S requests and responses processed by the mobile application, and carry out penetration testing using Burp Suite Professional in the standard operation procedure (SOP) and they typical way you will with Burp Suite Professional for manual application security testing (MAST).
Successfully intercepting HTTPS traffic from mobile applications can be non-trivial, due to problems setting the necessary proxy configuration, or due to TLS certificate pinning.
Burp Suite Mobile Assistant is a tool to facilitate testing of iOS apps with Burp Suite. It supports the following key functions:
- It can modify the system-wide proxy settings of iOS devices so that HTTPS traffic can be easily redirected to a running instance of Burp.
- It can attempt to circumvent TLS certificate pinning in selected apps, allowing Burp Suite to break their HTTPS connections and intercept, inspect and modify all traffic.
Burp Suite Mobile Assistant currently supports mobile devices running iOS versions 8.0 and onwards.
Once installed, Burp Suite Mobile Assistant can be launched just like any other app on your device. Simply tap the app’s icon to get started.
Routing traffic through Burp Suite
Make sure that an instance of Burp is running and that it is network-accessible from your mobile device.
Within Burp Suite Mobile Assistant, you can configure the host and port of the Burp Suite instance that you want to connect to, install the CA certificate from the configured instance, and enable it as the proxy for the device.
You can also run a test to verify your configuration. The test performs the following checks:
- Network connection – This shows whether the device is able to connect to the given host and port.
- Burp validation – This shows whether the service listening on the given host and port is an instance of Burp Suite.
- CA certificate installed – This shows whether the CA certificate used by the configured Burp Suite instance is trusted by the device.
- Proxy enabled – This shows whether the device is configured to proxy HTTP and HTTPS connections via the given host and port.
Special remark: Changes made to proxy settings by the Mobile Assistant are ephemeral and will be reverted upon reboot. On devices running iOS versions 9.0 onwards, changes made to proxy settings using Mobile Assistant are not reflected in the iOS Settings app. Installation of the Burp CA certificate is not reverted upon reboot.
Burp Suite Mobile Assistant require Jailbroken iphone device
Burp Suite Mobile Assistant needs to be installed onto a jailbroken device due to the nature of its features. Jailbreaks usually install the popular package manager Cydia which can be used to install Mobile Assistant. Advanced users may prefer to obtain Mobile Assistant directly. They can do this by pointing a web browser to Burp Suite’s in-browser interface, e.g.
http://[burp-host-ip]:8080/mobileassistant.deb. Although Cydia is not strictly necessary, Mobile Assistant depends on Cydia Substrate.
If you can’t access HTTPS URLs on iOS even after installing Burp’s CA certificate. Solution:
In Burp, go to to the Dashboard tab and look at the event log. If you see a large number of
Connection reset or
Remote host terminated the handshake errors, the problem may be due to compatibility issues with TLS 1.3.
You can prevent the proxy from using TLS 1.3 by disabling it in the proxy listener settings as follows:
- In Burp, go to the Proxy > Options tab.
- Select the proxy listener that you use for your mobile device and click Edit.
- In the Edit proxy listener dialog, go to the TLS Protocols tab.
- Select Use custom protocols, then deselect TLSv1.3 from the list.
If this was the problem, you should now be able to access HTTPS URLs as normal and will see fewer errors in the event log.
Bypassing certificate pinning
Certificate pinning is a technique used by apps to defend against the impersonation of trusted servers by malicious actors. In this context, pinning is a term that refers to the process of authenticating the identity of a host (provided by a remote server in the form of a TLS certificate) against a local, trusted copy of the legitimate certificate. Therefore, a connection with the remote server will only be established if the server can prove its identity by means of a certificate that matches the app’s expectations.
By default, Burp Suite generates per-host certificates signed by its self-signed CA certificate. Although such certificates might be trusted by the device, they will not match the pinned certificate that the app expects. As a result, Burp’s ability to intercept and inspect traffic generated by such apps is undermined by certificate pinning, even when the device has been properly configured to proxy HTTPS traffic.
Burp Suite Mobile Assistant has the ability to inject into other apps and hook into low-level system APIs to subvert certificate pinning, allowing users to intercept traffic using Burp Suite, even when certificate pinning is implemented.
Certificate pinning can be implemented in many different ways, using system APIs, third-party libraries, or custom code. Because Burp Suite Mobile Assistant hooks the low-level system APIs, it succeeds for the vast majority of apps. However, in some cases, successful injection into an app might fail to disable pinning, indicating that an app is performing certificate pinning using custom code.
Special remark: The certificate pinning bypass feature of Mobile Assistant does not currently support iOS version 10 onwards.
Adding injected apps
Items can be added to injected apps list by tapping “Add injected app”. An app will be injected with a certificate pinning bypass if it matches at least one of the entries in the injected apps list.
The add menu shows a list of user and system apps, which can be individually selected to be injected.
Advanced users may want to apply injections to a collection of related apps. This can be achieved by adding an advanced filter. The following types of filter are available:
- Executable: This will match every app whose executable name matches the filter’s value.
- Bundle ID: This will match any app that has the specified bundle ID, or has a dependency on a framework with that bundle ID. For example, the filter
com.apple.UIKitwill match any app with a GUI; the filter
com.apple.Securitywill match all apps.
- Class: This will match any app that implements a class whose name matches the filter value.
Injected apps list
You can individually enable or disable entries in the injected apps list. Various checks are performed when an item is enabled, and items will be automatically disabled if an error occurs.
You can delete individual items from the list by swiping left on the item, or tap “Delete all” to clear the list.
Special remark: Enabling an injection doesn’t make it take effect immediately. Injection is performed at the time that an app is launched. Hence, an app will need to be restarted if it was already running when it was enabled in the injected apps list. If an app has been successfully injected, a dialog will appear when the app is launched.
Recovering from crashes
The process of injecting into apps and hooking API calls carries inherent risks. For this reason, Cydia Substrate accounts for unexpected situations and can prevent devices from entering a permanent crash state. In the unlikely event that Burp Suite Mobile Assistant should crash and cause problems, please refer to Cydia Substrate’s safe mode.
Write at the end
Note for Mobile application security testing (Mobile AST) for iOS apps with jailbroken devices involved. But for dynamic application security testing (DAST) only, if you look for mobile app static application security testing (SAST), you still need to use a typical static application security testing (SAST) tool. Feel free to contact E-SPIN for advice based on your project in hand or operation requirements.