Getting Started with Traffic Analysis of iOS Applications — Part 1 (Application Traffic and Burp Suite Tabs)
Introduction
In this article, we will learn to set up our device and Burp Suite for capturing network traffic of an iOS application. All the test cases encountered in the process will be covered. A walkthrough of the previous article is recommended before starting this one.
Identifying the communication protocol
An iOS application may use any application layer protocol for communication with its server. Identifying the network communication protocol is the first step in traffic analysis. Most of the applications communicate over HTTP due to its ease of implementation of worldwide use. But other protocols may be also used or even raw sockets may be used by the application if required. For example, the famous application ‘WhatsApp’ uses XMPP (eXtensible Messaging and Presence Protocol) for communication.
Source: https://wiki.mikrotik.com/wiki/Testwiki/Introduction_to_internetworking
Identifying the communication protocol requires use of a tool like Wireshark, TcpDump etc. or it may be done by using self-developed script written in any popular programming language like python or ruby. We will discuss about traffic analysis of iOS applications on HTTP(S). Let us take up the example of twitter iOS application.
We need to connect our device with a WiFi connection provided by the computer so that the packets can be captured using Wireshark. We do the same and first note down the local IP address of our device (10.42.0.208 in this case).
Now we start Wireshark on our computer and put a filter for matching the IP Address of our device.
On gathering information about the IP address found in Wireshark, we observe that the IP address belongs to the hostname api.twitter.com which confirms that the Twitter iOS application communicates over HTTPS.
As seen from the screenshot, twitter uses HTTP for communication.
Capturing iOS Application’s HTTP Traffic using Burp Suite
For capturing HTTP traffic on Burp Suite, we first need to start a proxy listener in Burp Suite as shown.
Go to Proxy → Options → Proxy Listeners.
Edit the default running instance or add a new one.
Choose a listening port (should be greater than 1023 and non-busy) for your proxy, for example 8282 on the IP Address of the interface which is connected to the same network as the iPhone device. If you would like to switch networks too often, you can make it listen on all interfaces. If this is to be done, it needs to be done very responsibly (carefully).
Configure the proxy settings of your iPhone to match the proxy listener of Burp Suite.
Once you are done with this, open Safari and navigate to any HTTP website such as http://www.bbc.com and observe the Proxy → HTTP History Tab in Burp Suite.
It can be also noted that the Target Tab starts recording the network traffic and scanning it for potential vulnerabilities.
Capturing HTTPS Traffic
If we try to capture network traffic from an HTTPS website such as google.com or yahoo.com, we get a message in our browser as shown in the screenshot.
Many websites these days and also our target application i.e Twitter is on HTTPS. Also, applications implement HSTS Flag i.e HTTP Strict-Transport-Security to disallow access of APIs over HTTP. In order to capture the traffic, we need to install the CA certificate of Burp Suite in order to make the website trust us. This can be done very easily by following the steps shown here. At first, we need to make sure that Burp proxy is correctly configured to intercept traffic from the device on to Burp Suite.
Navigate to General → About → Certificate Trust Settings.
Now, if we try to capture HTTPS traffic, we will be able to do that successfully in Burp Suite.
Moving on to Twitter application, as we launch the application we notice that application traffic cannot be captured. Checking the ‘Alerts’ tab, shows us a message as shown in the screenshot.
This indicates that the application has got SSL Pinning implemented. SSL Pinning is used by developers to improve the security of a mobile application. For detailed information about SSL Pinning, refer to: https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning
If SSL Pinning is perfectly implemented, SSL traffic from an application wouldn’t get captured on Burp Suite or any other tool. But if not, attackers would be able to bypass it. For bypassing SSL Pinning in iOS applications automatically, the tool named ‘SSL KillSwitch’ needs to be used (Manual Bypassing of SSL Pinning will be covered in Runtime Analysis). Download the deb package from the URL ‘https://github.com/nabla-c0d3/ssl-kill-switch2/releases’ and install it as shown in the screenshot.
It can be enabled from Settings → SSL Kill Switch 2 as shown here.
If we launch the application now, we will observe that the network traffic will get captured in Burp Suite.
Conclusion
In this article, we have initiated the traffic analysis by starting to capturing the application’s network traffic using Burp Suite. The knowledge from this article will be used further i.e in the upcoming articles to take up the traffic analysis for finding vulnerabilities in iOS applications.