Monday, May 1, 2017

Working with BurpSuite MobileAssistant Tool

Recently on Friday, April 28, 2017, burpsuite has released its new tool dubbed as mobile assistant. Mainly this is released for two purposes. It is designed to change the system wide proxy setting and to bypass ssl certificate pinning. Currently this is available for iOS device 8 and later only. You can found more detail on the official blog referenced below: Here I am going for an in-depth tutorial starting from the setting up the mobile assistant to using it.
To simplify the tutorial I am writing steps one by one to implement this. I am using iOS 8.0.2 version.

1. Download burp certificate using standard method as mentioned in referenced link 2 in the reference section.

2. Click on install.

3. Once you install burp certificate successfully, you will see verified message.

4. To test the connection, open facebook website in safari browser and see if you are able to intercept the traffic in the burpsuite or not. Here I am able to intercept traffic. So all fine.

5. Now open Cydia app on jailbroken device. Click on sources as highlighted below.

6. Click on edit button.

7.  Click on add button.

8. Now we need to add repo URL. In this case as mentioned on portswigger's official blog, we need to add the local URL of the machine where we are running the burp suite tool. In my case its on port number 8080.

9.Clicking upon 'add source' button in above step, it will verify the connection.

10. It will start updating all sources from the repo.

11. Once done, you may get few error messages depending upon the configuration of your device. However, these messages you may get or you may not get. Also these are not relevant to the task we are doing. These error messages are form different repo. Click on Return Cydia button.

12. You fill find BurpSuite Pro source added in the list. Click on it.

13. Click on MobileAssistant folder.

14. Click on mobileassistant application to install it.

15. Click on install.

16. It will download the package and install it. Once done, you will need to click on Restart Springboard button to apply new changes.

17. On the home screen, you may see a new icon of MobileAssistant by burpsuite.

18. Open application. Add details of host and port. Enable proxy switch. Now click on test connection.

19. If everything goes well, you will see success message as below:

20. Now in my case particularly, this is extra step. Disable any kind of certificate pinning bypass application if you are using currently else you will not be able to know that which application actually bypassed certificate pinning. In my case I was using SSL Kill Switch application. I disabled it.

21. To make the changes applicable, you will need to restart the springboard. I prefer restarting springboard using below command via ssh.

killall -HUP backboardd

22. Now let us open the target application by assuming it might have certificate pinning protection.

As you can see. Application was not able to connect to the server. In the alerts of burpsuite tab, we see handshake fail error of SSL which confirms that SSL kill switch is not active for this application and target application has ssl pinning in place.

Now open MobileAssistant.

23. Click on 'Add Injected App' button. This feature of Mobile Assistant will perform runtime hooking in order to disable certificate validation for any application.

24. Select your target application. In my case, its target application.

25. Once selected, enable injections switch for run-time hooking.

26. Now open the target application, you will see below message.

27. Clicking upon OK, MobileAssistant will bypass certificate pinning and app will be able to used self-signed certificate of Burpsuite in order to transmit the data to between server and client.



Anonymous said...

Hi Chintan,

Just a friendly reminder that there is no need for you to install the CA certificate beforehand. Mobile Assistant does it for you!

Frogy said...

Yes it is not required. However, device was configured with Company A's burp certificate and when I was doing tutorial for mobile assistant, I had company B's burp suite. So I thought to replace A's certificate with B hence I included that in the scope however you are absolutely right in that case.

Mike Lander said...

Great Read