Iphone app not allowing proxy

Question

Hi everyone I am interested in how a banking app works, especially the way it handles https requests. So I installed one, set my proxy settings, started burp suite and expected it to work. As you may expect it did not.

Burp-suite gave me an error namely: Received close_notify during handshake

At that point i came up with 2 options

1) I did something wrong with the CA installation of burp-suite.To verify this i opened snapchat which also requires burps CA certificate. Burp suite did function as normal so i think this is the not the problem.

2) The app doesn't allow me to use a proxy server. This seems the most logical thing especially because the error is that burp received a close_notify message which suggests that the app quitted the connection. And also a banking app is (at least i hope) very well protected.

However I still want to inspect the internet traffic of the app so how should i do this? I think i might start using cycript to see if i could enable/disable a function that controls proxy handling. If there are easier ways i would be very willing to hear this. Another option which seems like a solution to me is letting the my phone think it isn't connecting to a proxy server by changing ip's or something like that.

Thanks in advance!

Do you just want to look at the traffic? Or its contents? ie, you could just use Wireshark if all you want to do is look at the traffic, but Wireshark doesn't decrypt SSL, so you couldn't look at the contents. — KnightOfNi, Dec 17 '14 at 20:27
Are you sure the app is using HTTPS? Maybe they are using another communication method? Inspect using Wireshark to make sure you are using the correct analysis tool for the protocol involved. — schroeder, Dec 17 '14 at 21:47
The banking app could use certificate pinning. It has the certificate fingerprint of the bank server hard-coded and refuse any other certificate even if signed by a trusted certificate authority. This would be a quite reasonable precaution for a security-critical app which only communicates with a single https server. — Philipp, Dec 17 '14 at 22:32
Other theory: The communication between client and server doesn't just verify the servers identity with a certificate but also the clients identity with a certificate signed by the server. This is a rarely used but still widely supported feature of https. — Philipp, Dec 17 '14 at 22:40
Thanks for the answers I'll try to figure out if the servers uses certificate pinning or any of the other ideas. — that guy, Dec 18 '14 at 17:49

score 1 · Answer 1 · answered Dec 17 '14 at 22:06

1

You may not have the proper decoder in Burpsuite to perform testing. What "application-type" are you seeing with the requests? E.g., JSON, AJAX, etc., Burpsuite has separate decoders for JSON, and this does not mean your bank's API is using JSON. In order to properly analyze what is going on, you need the right tool for the job. What you can try to do, for study purposes etc, is capture the traffic, shove it through Netwitness Investigator, use its protocol decoder (which is automated) to make sense of all data connections, applications, types, etc. from point A to point B. My guess is, you're not hitting the right protocol to analyze with Burpsuite.

answered Dec 17 '14 at 22:06

munkeyoto

8,682
16
31

I don't see anything in burp-suite, all is see is a connection error message on the phone – that guy Dec 19 '14 at 21:42
Read up on pentesting phone's with Burpsuite http://jordan-wright.github.io/blog/2013/11/07/how-to-pentest-iphone-apps-with-burp/ – munkeyoto Dec 19 '14 at 21:52
I have that working. – that guy Dec 19 '14 at 22:02

Iphone app not allowing proxy

1 Answers1