Burp App

2/15/2022by admin
  1. Burp App Store
  2. Burp Application

Burp Suite Mobile Assistant is a tool to facilitate testing of iOS apps with Burp Suite.

Burp Suite Community Edition is a feature-limited set of manual tools for exploring web security. Proxy your HTTPS traffic, edit and repeat requests, decode data, and more. Get the latest version here. Alternatively, try hacking like the pros do - with a free trial of Burp Suite Professional. It is the most popular tool among professional web app security researchers and bug bounty hunters. Its ease of use makes it a more suitable choice over free alternatives like OWASP ZAP. Burp Suite is available as a community edition which is free, professional edition that costs $399/year and an enterprise edition that costs $3999/Year. Benefits of Hiring BrandBurp for Burping Your App We are a Competent Mobile App Marketing Agency with a Mission to Offer Industry’s Best Digital Marketing Services. Our 100+ experts who have already served 2000+ clients from different domains know how to offer customized digital marketing solutions.

If you do not already have Mobile Assistant installed, please see the help on Installing Burp Suite Mobile Assistant.

Once installed, Burp Suite Mobile Assistant can be launched just like any other app on your device. Simply tap the app's icon to get started. You can find information about configuring Burp Suite Mobile Assistant on the Support Center.

Routing traffic through Burp Suite

Make sure that an instance of Burp is running and that it is network-accessible from your mobile device.

Within Burp Suite Mobile Assistant, you can configure the host and port of the Burp Suite instance that you want to connect to, install the CA certificate from the configured instance, and enable it as the proxy for the device.

You can also run a test to verify your configuration. The test performs the following checks:

  • Network connection - This shows whether the device is able to connect to the given host and port.
  • Burp validation - This shows whether the service listening on the given host and port is an instance of Burp Suite.
  • CA certificate installed - This shows whether the CA certificate used by the configured Burp Suite instance is trusted by the device.
  • Proxy enabled - This shows whether the device is configured to proxy HTTP and HTTPS connections via the given host and port.

Note: Changes made to proxy settings by the Mobile Assistant are ephemeral and will be reverted upon reboot. On devices running iOS versions 9.0 onwards, changes made to proxy settings using Mobile Assistant are not reflected in the iOS Settings app. Installation of the Burp CA certificate is not reverted upon reboot.

Bypassing certificate pinning

Certificate pinning is a technique used by apps to defend against the impersonation of trusted servers by malicious actors. In this context, pinning is a term that refers to the process of authenticating the identity of a host (provided by a remote server in the form of a TLS certificate) against a local, trusted copy of the legitimate certificate. Therefore, a connection with the remote server will only be established if the server can prove its identity by means of a certificate that matches the app's expectations.

By default, Burp Suite generates per-host certificates signed by its self-signed CA certificate. Although such certificates might be trusted by the device, they will not match the pinned certificate that the app expects. As a result, Burp's ability to intercept and inspect traffic generated by such apps is undermined by certificate pinning, even when the device has been properly configured to proxy HTTPS traffic.

Burp Suite Mobile Assistant has the ability to inject into other apps and hook into low-level system APIs to subvert certificate pinning, allowing users to intercept traffic using Burp Suite, even when certificate pinning is implemented.

Certificate pinning can be implemented in many different ways, using system APIs, third-party libraries, or custom code. Because Burp Suite Mobile Assistant hooks the low-level system APIs, it succeeds for the vast majority of apps. However, in some cases, successful injection into an app might fail to disable pinning, indicating that an app is performing certificate pinning using custom code.

Note: The certificate pinning bypass feature of Mobile Assistant does not currently support iOS version 10.

Adding injected apps

Items can be added to injected apps list by tapping 'Add injected app'. An app will be injected with a certificate pinning bypass if it matches at least one of the entries in the injected apps list.

The add menu shows a list of user and system apps, which can be individually selected to be injected.

Advanced users may want to apply injections to a collection of related apps. This can be achieved by adding an advanced filter. The following types of filter are available:

  • Executable: This will match every app whose executable name matches the filter's value.
  • Bundle ID: This will match any app that has the specified bundle ID, or has a dependency on a framework with that bundle ID. For example, the filter com.apple.UIKit will match any app with a GUI; the filter com.apple.Security will match all apps.
  • Class: This will match any app that implements a class whose name matches the filter value.

Injected apps list

You can individually enable or disable entries in the injected apps list. Various checks are performed when an item is enabled, and items will be automatically disabled if an error occurs.

You can delete individual items from the list by swiping left on the item, or tap 'Delete all' to clear the list.

Note: Enabling an injection doesn't make it take effect immediately. Injection is performed at the time that an app is launched. Hence, an app will need to be restarted if it was already running when it was enabled in the injected apps list. If an app has been successfully injected, a dialog will appear when the app is launched.

Recovering from crashes

The process of injecting into apps and hooking API calls carries inherent risks. For this reason, Cydia Substrate accounts for unexpected situations and can prevent devices from entering a permanent crash state. In the unlikely event that Burp Suite Mobile Assistant should crash and cause problems, please refer to Cydia Substrate's safe mode.

This last weekend I started testing a new Android app for fun, and ran into some trouble getting Burp Suite working properly. I burned a whole afternoon troubleshooting the issue, and decided to write up what I found out and two different ways I got it working.

I’ve done quite a bit of Android testing in the past and my setup usually involves a Genymotion VM or my old rooted Nexus Tablet. I run Burp Suite locally, install the User Cert as outlined in Portswigger’s documentation, configure a WiFi proxy and I’m off the races.

This particular app I wanted to test, however, required a minimum API level 24 (Android 7.0 - “Nougat”) and suddenly it wasn’t working. I followed the steps I always do but saw nothing but “connection reset” errors in Burp:

After a few frustrating hours of troubleshooting, I finally figured out the issue lied with the latest versions of Android (API >= 24). Before I go any further, all the information I needed was found in these great write-ups:

Starting with Nougat, Android changed the default behavior of trusting user installed certificates. It’s no longer possible to just install the Burp CA from the sdcard to start intercepting app traffic. Unless otherwise specified, apps will now only trust system level CAs. The failure happens “invisibly” and is responsible for all the alerts I saw in Burp Suite.

There’s two ways to bypass this, and I’ll walk through them both.

Burp App Store

  • Install the Burp CA as a system-level CA on the device. My recommendation for the easiest solution, but does require a rooted device. Also added benefit of not having to set a lockscreen PIN :)
  • Modify the manifest and repackage the app. Slightly more work, but doesn’t require root privileges.

Note: I did all this with Burp Suite Pro on my Windows 10 machine and am using an Android 7.1 (API25) Genymotion VM, but the steps should be applicable to any setup.

Since the “traditional” way of installing a user certificate doesn’t work anymore in Nougat and above, for me the easiest solution is to install the Burp CA to the system trusted certificates. You can see all the system CAs that are bundled with an Android device by going to Settings -> Security -> Trusted Credentials and viewing system CAs. You’ll see the similar CAs you’d see in a browser bundle.

Trusted CAs for Android are stored in a special format in /system/etc/security/cacerts. If we have root privileges, it’s possible to write to this location and drop in the Burp CA (after some modification).

Export and convert the Burp CAThe first step is to get the Burp CA in the right format. Using Burp Suite, export the CA Certificate in DER format. I saved it as cacert.der

Android wants the certificate to be in PEM format, and to have the filename equal to the subject_hash_old value appended with .0.

Note: if you are using OpenSSL <1.0, it’s actually just the subject_hash, not the “old” one

Use openssl to convert DER to PEM, then output the subject_hash_old and rename the file:

For example, with my certificate:


Copy the certificate to the deviceWe can use adb to copy the certificate over, but since it has to be copied to the /system filesystem, we have to remount it as writable. As root, this is easy with adb remount.

The just drop into a shell (adb shell) and move the file to /system/etc/security/cacerts and chmod it to 644:

Lastly, we have to full reboot the device with either adb reboot or a power cycle.

After the device reboots, browsing to Settings -> Security -> Trusted Credentials should show the new “Portswigger CA” as a system trusted CA.

Now it’s possible to set up the proxy and start intecepting any and all app traffic with Burp :)

If you don’t have root or don’t want to modify the system trusted certificates, you can install the Burp CA as a user cert and then modify the specific APK you want to MitM.

Starting with Nougat, apps will ignore user-installed certificates by default. This is evident by looking at logcat output when launching the app:

Without a network security config, the app will only trust system CAs and will not honor the user installed Burp certificate.

To get around this, it involves:

  • Disassembling the APK
  • Adding a new XML resource to define a network security profile
  • Modifying AndroidManifest.xml
  • Repackaging and self-signing the APK

Disassemble and modify the APKStart by using apktool to disassemble the APK

Next, add a new network security config by creating the file network_security_config.xml in the res/xml directory:

The config needs to explicitly state that trusting user certs is acceptable. The entire contents should be:

Finally, we have to define the network security config in AndroidManifest.xml. In the <application> tag, add the android:networkSecurityConfig attribute pointing to the new XML file:

Reassemble and SignFinally, the APK must now be rebuilt and signed in order to be installed. Using apktool b, a new build will be created in the dist/ directory:

Burp App

Burp Application

To self-sign the app, use keytool to create a new keystore and key, then jarsigner to sign the new APK:

Lastly, install the new APK with adb:

Now, when we start the application, the logcat output will indicate a new network security config is being used:

With the Burp CA installed to user certificates, we can now MitM the application traffic!

Install System CA

Modify APK

Hope this helps!-ropnop

See also

Comments are closed.