April 19, 2016
Mobile - Proxying Your Mobile Traffic
Taking a bit of a break from Classic ASP comes mobile security auditing. In this post, I will be showing you how to hook-up Burp Suite to your phone and begin proxying your mobile traffic. This allows a security professional to analyze from a black-box perspective how an app works with its internal API counterpart (and more importantly what can we break with said internal API).
First things first, go snag the free copy of Burp Suite if you don't already have it. This is not a tutorial on using Burp Suite, but I personally swear by it. Do yourself the justice of learning its quirks and grabbing a few must-have extensions. It is a wonderful tool.
Next, let's get Burp listening on another port (which we direct our phone to). Open Burp, click the Proxy tab, then click the Options sub-tab. Click the Add button under Proxy Listeners.
In the pop-up, pick an open port to bind your proxy to (I use 8082). Then select Bind on All Interfaces. On Windows, you may get a firewall warning. Be sure to allow Burp Suite to bind to this network port (otherwise you will go down a whole 'nother firewall rabbit-hole).
I will preface this section with the fact that I'm using Android 6.0 for my examples. Older versions of Android have some of these options in different places. Remember, Google is your friend if you need to find that one obscure setting I mention.
First things first, make sure your PC and phone are on the same network (it's okay if one is wired as long as their isn't a subnet difference you should be good). On your phone, open the WiFi menu (Settings > Wi-Fi). If you're already connected to your WiFi, forget the network!
Choose your network, enter the password, and tap Advanced Options. Set the Proxy option to Manual. Enter the IP address of the computer running Burp, enter the port you chose before, and then tap connect.
You should now be connected. You should start seeing traffic in Burp under the Proxy > HTTP History tab. However. the fun doesn't end here! You can only see HTTP traffic as the Burp certificate isn't installed on your phone. Time for the next wrinkle...
Open a browser on your phone and type: http://burp -- If everything is working, you will be presented with a fairly simple Burp Suite page. Tap the link for CA Certificate. Make sure that downloads to your device.
Now, navigate to Settings > Security > Install from Storage. From here, select the certificate you just downloaded. Android may get angry and leave an ever present warning saying your traffic can now be monitored. This is normal. You are snooping on your traffic, soo... They're not far off.
NOTE: In my testing, I needed to rename the cert.der that I obtained from http://burp. The cert file needed to be renamed to cert.cer for the Android certificate manager to understand it as a certificate. You can grab any file manager (I prefer ES File Manager) in order to rename the downloaded file.
More preface... I do not have an iPhone to snag screenshots from. Sorry. This is all from memory from an iDevice at work.
First things first, make sure your PC and phone are on the same network (it's okay if one is wired as long as their isn't a subnet difference you should be good). Open the WiFi menu (Settings App > WiFi). Connect to the appropriate WiFi network. Now tap the blue-colored icon to the right of the WiFi network name.
On this screen, choose to use a proxy. Enter in the IP Address of your PC. Enter in the port chosen earlier.
Now, open Safari, and navigate to http://burp -- Tap the CA Certificate link. You should be immediately redirected to the Install Certificate page. Choose to the install the certificate. And you're done.
When you finish proxying traffic, be sure to revert all the settings you changed from this post. Leaving a Burp Suite certificate installed on your phone is a horrible idea that I hope doesn't need explaining. Remember, every phone is different, so it's likely this guide will not be perfect. I will happily help if you submit questions in the comments below however.
Yes, yes, I'm late to the party, I know. Poorly secured Amazon S3 buckets have been a thing for a while now, but recently there's...
It was about time for something a little bit different around here, so here's my write-up for the CSAW CTF 2017 -- Web 150 challenge tit...
It's been a while since I've written up a new post, so I thought I'd start a new series where I do deep dives into common w...