Burp Suite Mobile Assistant
Burp Suite Mobile Assistant is a tool to facilitate testing of iOS apps with Burp Suite.
If you do not already have Mobile Assistant installed, please see the help on Installing Burp Suite Mobile Assistant.
Once installed, Burp Suite Mobile Assistant can be launched just like any other app on your device. Simply tap the app's icon to get started.
Routing traffic through Burp Suite
Make sure that an instance of Burp is running and that it is network-accessible from your mobile device.
Within Burp Suite Mobile Assistant, you can configure the host and port of the Burp Suite instance that you want to connect to, install the CA certificate from the configured instance, and enable it as the proxy for the device.
You can also run a test to verify your configuration. The test performs the following checks:
- Network connection - This shows whether the device is able to connect to the given host and port.
- Burp validation - This shows whether the service listening on the given host and port is an instance of Burp Suite.
- CA certificate installed - This shows whether the CA certificate used by the configured Burp Suite instance is trusted by the device.
- Proxy enabled - This shows whether the device is configured to proxy HTTP and HTTPS connections via the given host and port.
Note: Changes made to proxy settings by the Mobile Assistant are ephemeral and will be reverted upon reboot. On devices running iOS versions 9.0 onwards, changes made to proxy settings using Mobile Assistant are not reflected in the iOS Settings app. Installation of the Burp CA certificate is not reverted upon reboot.
Bypassing certificate pinning
Certificate pinning is a technique used by apps to defend against the impersonation of trusted servers by malicious actors. In this context, pinning is a term that refers to the process of authenticating the identity of a host (provided by a remote server in the form of an SSL certificate) against a local, trusted copy of the legitimate certificate. Therefore, a connection with the remote server will only be established if the server can prove its identity by means of a certificate that matches the app's expectations.
By default, Burp Suite generates per-host certificates signed by its self-signed CA certificate. Although such certificates might be trusted by the device, they will not match the pinned certificate that the app expects. As a result, Burp's ability to intercept and inspect traffic generated by such apps is undermined by certificate pinning, even when the device has been properly configured to proxy HTTPS traffic.
Burp Suite Mobile Assistant has the ability to inject into other apps and hook into low-level system APIs to subvert certificate pinning, allowing users to intercept traffic using Burp Suite, even when certificate pinning is implemented.
Certificate pinning can be implemented in many different ways, using system APIs, third-party libraries, or custom code. Because Burp Suite Mobile Assistant hooks the low-level system APIs, it succeeds for the vast majority of apps. However, in some cases, successful injection into an app might fail to disable pinning, indicating that an app is performing certificate pinning using custom code.
Note: The certificate pinning bypass feature of Mobile Assistant does not currently support iOS version 10.
Adding injected apps
Items can be added to injected apps list by tapping "Add injected app". An app will be injected with a certificate pinning bypass if it matches at least one of the entries in the injected apps list.
The add menu shows a list of user and system apps, which can be individually selected to be injected.
Advanced users may want to apply injections to a collection of related apps. This can be achieved by adding an advanced filter. The following types of filter are available:
- Executable: This will match every app whose executable name matches the filter's value.
- Bundle ID: This will match any app that has the specified bundle ID, or has a dependency on a framework with that bundle ID. For example, the filter com.apple.UIKit will match any app with a GUI; the filter com.apple.Security will match all apps.
- Class: This will match any app that implements a class whose name matches the filter value.
Injected apps list
You can individually enable or disable entries in the injected apps list. Various checks are performed when an item is enabled, and items will be automatically disabled if an error occurs.
You can delete individual items from the list by swiping left on the item, or tap "Delete all" to clear the list.
Note: Enabling an injection doesn't make it take effect immediately. Injection is performed at the time that an app is launched. Hence, an app will need to be restarted if it was already running when it was enabled in the injected apps list. If an app has been successfully injected, a dialog will appear when the app is launched.
Recovering from crashes
The process of injecting into apps and hooking API calls carries inherent risks. For this reason, Cydia Substrate accounts for unexpected situations and can prevent devices from entering a permanent crash state. In the unlikely event that Burp Suite Mobile Assistant should crash and cause problems, please refer to Cydia Substrate's safe mode.