3

I am trying to capture HTTP(S) traffic from a proxy-unaware Xamarin iOS application. The current tools I have available is a Mac with a Linux Mint VM, Xcode and iOS developer tools, Burp Suite Community Edition, Charles Proxy and Wireshark.

Strategies

I have tested the following strategies with various degrees of success (but never full success):

Burp Suite and Charles Proxy

Setup: Burp Suite/Charles Proxy running on a Mac, with the proxy's CA certificate installed on the iOS device. The iOS device is configured to use an HTTP proxy.

Problem: Only intercepts certain requests not made by Xamarin's native HttpClient API, such as Google Analytics, which is not useful in analyzing the API of interest.

Wireshark

Setup: iOS device connected via USB cable to the Mac, made a network interface on the Mac per this guide so as to capture packets direct from the iOS device by letting Wireshark read from that network interface.

Problem: All requests are HTTPS and can't be decrypted.

VPN and Burp Suite

Setup: By making a VPN that the iOS device connects to, all traffic will be routed through that VPN and into Burp Suite. The VPN is set up on a Linux Mint VM with its network adapter bridged to my Mac's Wi-Fi card.

Problem: I partially followed a tutorial that describes a PPTP VPN with Burp Suite, but iOS 10 and above has dropped support for PPTP. Attempts to replicate with OpenVPN yielded unsatisfactory results (another post on ServerFault here).

Question of the day

How does one effectively and (hopefully relatively easily) intercept HTTP(S) traffic from an iOS mobile app that does not respect system proxy settings?

Pan Ziyue
  • 171
  • 1
  • 5
  • Another way is to hook into the HttpClient library like I explained previously in this [answer (second solution)](https://security.stackexchange.com/a/189225/25859). You could log the requests/responses. You could also replace the client with your own that respects proxy settings (or add proxy settings). Admittedly, this requires some reversing skills and fiddling. – HamZa Jul 31 '18 at 09:18

1 Answers1

4

This has been a rather interesting turn of events, apparently, the issue with VPN/Burp Suite method had to do with my configuration of the Burp Suite's invisible proxying (in which I neglected after troubleshooting a few times) as answered in the ServerFault question I posted previously. To contribute back to the community, here's a tutorial on how to MITM a proxy-unaware iOS >10 app!

Guide on MITM'ing a proxy-unaware iOS app for iOS 10 and above

Setting up the VM

Set up a Linux VM of your choice (I used Linux Mint, but Ubuntu and Debian based distros work just as well with the rest of the tutorial), and download Burp Suite, preferably the JAR version as it is more portable.

Install OpenVPN as per DigitalOcean's guide. Double check that your iOS device can connect to the VPN and that it can access the Internet.

iptables configuration

You should have already configured your iptables as per the guide above for masquerading client connections. You now have to configure iptables to forward all HTTP and HTTPS requests from OpenVPN's tun0 interface to port 8080 (or whichever port your copy of Burp Suite is using)

# iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 80 -j REDIRECT --to-port 8080
# iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 443 -j REDIRECT --to-port 8080

The fun bit

Launch Burp Suite, making sure to:

  1. Disable Intercept: you don't want to stop and inspect/edit every single connection unless you need that feature
  2. Proxy > Options > Proxy Listeners > Edit and enable listening on all interfaces
  3. Proxy > Options > Proxy Listeners > Edit > Request Handling and enable invisible proxying or none of the above will work!

Have fun ;)

Pan Ziyue
  • 171
  • 1
  • 5
  • So basically, "That's what the Invisible Proxy mode is for"? – Mike Ounsworth Jul 29 '18 at 15:59
  • 1
    Addition: I've had situations where the client has a hard-coded trust store that I can't modify. In that case you need to rip the TLS cert+privateKey out of the server and give it to Burp -- which limits you to only inspecting connections to servers that you own. – Mike Ounsworth Jul 29 '18 at 16:03
  • @MikeOunsworth Yes, that would be a rather finicky situation. Hard coded trust stores would significantly complicate things. Perhaps apps can also employ certificate pinning to thwart API analysis through MITM, such as high security banking apps. – Pan Ziyue Jul 30 '18 at 08:04
  • Yeah, certificate pinning (HSTS) is annoying. It often means re-installing the app or otherwise clearing its cache. – Mike Ounsworth Jul 30 '18 at 11:56
  • You can always use [SSL killswitch2](https://github.com/nabla-c0d3/ssl-kill-switch2) with Cydia substrate or the following frida script: [ios 10 ssl bypass](https://codeshare.frida.re/@dki/ios10-ssl-bypass/). These two solutions might not work out of the box for all apps. If that's the case then you will need to get your hands dirty and remove the pinning yourself by hooking into the appropriate methods. – HamZa Jul 31 '18 at 09:24