Sometimes pentesters encounter obstacles while pentesting mobile applications, one of them is pentetsting non-proxy aware mobile applications. Non-proxy aware mobile applications usually don’t have support for proxying at all, or they are configured to ignore the mobile OS proxy settings. This tutorial will explain how to overcome this issue without rooted or jailbroken device, using a simple Flutter webview mobile app I made to practice on.
In this tutorial we are going to need these prerequisites:
- Linux/Windows Operating system (host).
- Linux virtual machine (Mint distro used in the tutorial).
- Android Mobile phone, also it can apply to iPhone.
First part configuring the virtual machine.
- In the network settings change it to a bridged adapter.
- Install Burp Suite or use the portable version in the virtual machine.
For the VPN part, we need to use VPN to force all the mobile phone traffic through a tunnel to the VPN server in the virtual machine.
From there we’re going to use Iptables utility rules to redirect all the VPN traffic to our Burp Suite listener.
Now for setting up VPN server on the virtual machine we will follow DigitalOcean guide, but we need to keep in mind a few points:
- Use your internal IP (External IP used in the DigitalOcean guide as example).
- Every time we connect and disconnect the virtual machine, or connect to a new network usually the internal IP of the VPN server changes. Therefore, regenerate a new VPN client certificate with the new internal IP, or if you use “OpenVPN for Android” app. Edit the certificate from server list tab and change the IP to the new one, then connect as shown in the screenshot.
DigitalOcean Guide:
After setting up the virtual machine and VPN server, now we need to force all the traffic that goes through our VPN to be directed to port 8085 which is what our Burp Suite proxy listening on:
Iptables
We will use Iptables which is “a utility to set-up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel”.
Flush all previous rules to start fresh:
sudo iptables -FSet accept all policy to all connections:
sudo iptables -P INPUT ACCEPTsudo iptables -P OUTPUT ACCEPTsudo iptables -P FORWARD ACCEPT
Forward all HTTP and HTTPS traffic from the VPN network interface tun0 to the listening port in Burp Suite 8085:
sudo iptables -t nat -A PREROUTING -i tun0 -p tcp — dport 80 -j REDIRECT — to-port 8085sudo iptables -t nat -A PREROUTING -i tun0 -p tcp — dport 443 -j REDIRECT — to-port 8085
Hint: re-applying iptables rules needed everytime the virtual machine was rebooted.
In this way, we are forcing all traffic from the mobile phone to go through Burp Suite proxy.
Configuring Burp Suite Listener:
Set Burp Suite to listen on port 8085 on all interfaces, but we still have an issue to deal with which Burp Suite can’t resolve the requests to a specific IP.
Configuring Burp Suite to resolve the domain/IP :
- In Proxy tab go to Edit then click Request handling. After that, provide the destination IP (The IP which the mobile application sending its requests to).
- Check “Support invisible proxying”.
Now after setting up the VPN connection, Iptables rules, and Burp Suite configuration. You can install my testing Flutter app from here, which is just sending HTTP request to whatismyipaddress.com Blacklistcheck tool.
Now after opening the application and clicking on “CHECK MY IP ADDRESS” button, the traffic is shown in Burp Suite HTTP history.
The source code of the mobile app:
https://github.com/Meshall/flutter_fp/tree/master/flutter_fp
Happy Hacking!