3

I am trying to intercept web traffic with burp from mobile devices (Android and iPhone) that are enrolled in an MDM solution (MobileIron). There is one specific website I want to proxy, that is available only through the "secure browser" as the website is hosted on an internal IP and the secure browser works as a "per app VPN" meaning that the traffic from the browser is tunneled directly to the internal network. The tunneling is secured by a client certificate installed on the Android and iOS devices. I cannot root or jailbreak the devices.

Currently I have set up a wireless hotspot and the proxy settings on the mobile devices are set to connect to Burp on my computer. I am able to intercept all other traffic that is not going through the secure browser. However, the data going through the secure browser is not intercepted. It seems as if the connection is tunneled before relaying to Burp.

Is there any way I can intercept the communication with Burp without the client certificate?

torjus
  • 31
  • 2
  • Seems unlikely to work without the certificate. When you say you cannot root or JB the devices, do you mean that it isn't possible for the current version, or that the app detects it and won't run? If it's the latter, you should be able to root/JB the device, pull the certificate file, then un-root the device again before running the app. – Polynomial Nov 14 '18 at 11:03
  • Did you also look into the app file itself, to see how the client certificates get deployed? If you're lucky it'll be hard-coded (which is an issue in and of itself) and you can just pull it out of the app directly. Otherwise it still seems that the app must be able to get the certificate from somewhere before it creates the secure tunnel, which you may be able to intercept. – Polynomial Nov 14 '18 at 11:06
  • JB is not possible for the iOS version, in addition the MDM app performs root detection. Rooting seems to be difficult on the Android app as it is not possible to enable USB-debugging, which is disabled by the MDM policies. I have not found hardcoded certificate in the app. I believe that the certificate is stored in the seure storage container in iOS and Android. – torjus Nov 14 '18 at 11:22
  • But how did the certificate get onto the device? It has to either be loaded on manually or from the internet. If it's loaded on manually and that provisioning process is done before the user gets the device (e.g. in a work phone scenario) then that would make sense as to why you can't get the cert. Unfortunately that would leave you without many options. – Polynomial Nov 14 '18 at 11:25
  • It is not loaded manually, but inserted when enrolling in MobileIron. My guess is that the client certificate is generated by the client, and thus not possible to intercept. – torjus Nov 14 '18 at 11:41
  • 1
    Ah, yeah, I guess the client device generate a pub/priv pair, then enrols the public key with the server. That makes things difficult. – Polynomial Nov 14 '18 at 11:58

0 Answers0