Sunday, June 9, 2013

Sniffing Mobile apps

Hi friends, Here is my new article how to sniff HTTP / HTTPS traffic of iOS and Android apps.
There may be different needs, for example if you wanna test your app or whatever. I'm not responsible for your actions at the end.

So what you need:
 - iOS or Android Device
 - App you want to sniff installed on device
 - PC / Mac connected to same WiFi network with mobile device.
 - Magic tool "BURP" get a free copy here

BURP is a Jar file, you can run it on PC or Mac, just don't forget to have Java installed.

So to sniff trafic you need to go to properties of WiFi connection on your mobile device and in additional settings enable HTTP proxy. The host will be local ip of your computer, and port 8080.

Than run BURP , keep all settings by default if you are not sure.The only thing you need to do is to turn off Interception. Proxy Tab -> Intercept Tab, Intercept OFF.

Than open History Tab and there you will see all HTTP requests your mobile or some app does.
If the app is trying to make HTTPS request it will fail, because now you are not porxifying HTTPS property. To get all magic you need to do the following things:

Open Proxy Options tab and check that options of Certificate is "Per Host" and Generate CA signed per host request are set.

After that open any browser, for example safari on your local computer, set proxy settings to localhost:8080 including HTTP and HTTPS proxy, On Mca is done in your network settings. If you use Firefox it's configured in local settings of Firefox.

So when you are done try to open any HTTPS url and you will get SSL error warning. I avoid using Chrome because they have additional SSL verifications, really im not sure how it works there.

So when you get SSL warning you should open warning details and set CA certificate as trusted on you local machine. After that it will perfectly and in logs of BURP you will see all SSL requests you do through your browser.

To make you mobile accept this SSL you need to:
 - Export CA ROOT certificate which now you have in your Keychain to the file (crt i guess)
 - Import it to your mobile.

In case of Android is very easy, just copy it to the root of sd card, insert it to device, go to settings of security and import Certificate from SD card. After that certificate will become trusted and you can sniff SSL traffic. Just don't forget that if you use Chrome Mobile it will also raise errors about wrong SSL, but all other apps will accept it. And all requests will appear in history of BURP.

With iOS is more tricky.
1. Download iPhone Configuration Utility form Apple website
2. Open it and create new profile , keep blank everything except profile name / id and in Certificates Tab add CRT you want to add as trusted on your device.

Than connect your iPhone / iPod etc to your Mac and install created profile to the device. Later you can go to device settings and in profiles section you'll see installed CA root certificate. That's all

Now you can easily see what your phone is sending / receiving.

Unfortunately you can't download Apps from appStore with proxy enabled, so just don't forget to disable proxy settings on wifi Tab when you finish your tests.

No comments:

Post a Comment