Pentesting mobile applications with Burpsuite
Securing mobile applications is one of the most important issues today, especially with the continuing evolution of sophisticated cyber threats which are becoming very covert today.
Thus, the pentesting of mobile applications has become a necessity to provide an adequate level of security to not only customers but to businesses and corporations whose respective sales teams are constantly on the road.
What should you learn next?
From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.
Figure 1: Mobile Malware: Threat Statistics – McAfee Labs 2016
In this article, we will discover how to pentest mobile applications using Burp Suite, one of the more powerful tools used today by pentesting teams.
Burp Suite is one of the most widely used software packages for not only pentesting web applications but, for pentesting mobile applications as well. It is designed for the hands-on penetration tester and has a host of functionalities that help perform various Security related tasks depending on the environment in which it is being used.
The tools available on Burp suite are as follows:
- Proxy: Burp Suite comes with a proxy running by default on port 8080. It is this proxy that makes it able to intercept and manipulate (Forward, Drop, etc.) the traffic between the client and the web application.
- Spider: This feature is used to crawl web applications looking for new links, content, etc. which is located in the target environment.
- Scanner: This feature is used to scan web applications searching for vulnerabilities and hidden weaknesses.
- Repeater: The repeater is used to modify and send the same request several times to analyze the differing responses which arise from it.
- Sequencer: a sequencer is a dedicated tool for the analyzing the degree of randomness of the session tokens which are emitted by the application in question.
- Decoder: This tool is used to encode and encrypt data, or to decrypt data.
- Comparer: This tool is used to perform a comparison between two requests, responses or any other type or kind of data.
- Intruder: This is used for various pentesting objectives such as exploiting vulnerabilities, launching dictionary attacks, etc.
For more information about Burp Suite you can find an informative article here:
Figure 2: Architecture of Burp Suite
How to install Burp Suite
Burp Suite is by default installed in Kali Linux, but it can be used on any platform. More information can be found here: https://portswigger.net/burp/
After running Burp Suite, the following screen will appear:
Next, click on "Start," as seen on the screen below:
From here, go to the Proxy tab then select the "Options" button:
Click on the interface (by default it is 127.0.0.1), and then:
- Click on edit.
- Choose "all interfaces."
- Click on ok.
These steps are illustrated below:
After this, you have to your mobile phone ready and then choose "Settings."
IMPORTANT: You must be on the same wireless network.
To do this, on the settings menu go to the Wi-Fi selection:
- Choose your wireless network.
- Select Advanced Settings.
- Set the proxy option to manual:
Once the above step has been accomplished, enter the IP Address of your machine and the listening port of Burp Suite (by default this is 8080). This is illustrated in the screen below:
Once the above has been accomplished:
- Navigate to http://burp suite to download burp suite certificate to be able to intercept SSL traffic.
- Click on CA certificate and rename the file to "cacert.cer":
Once the above has been done, go to the location of the file and open it, and from there, the installation will automatically run.
IMPORTANT: Make sure to choose VPN and applications:
Once you open a mobile app on your Smartphone, you can then intercept all the traffic between your Smartphone and the web server of which you are currently accessing. This is illustrated in the screen below:
What to look for in the intercepted traffic log
Here is what to look for in these kinds of log files:
The following example clearly demonstrates that there is no encrypted traffic (SSL), This means that a Cyber attacker who is covertly on the network can intercept the username/password very easily. This is demonstrated on the screen below:
The interception of Session Cookies allows the Cyber attacker to hijack the victim's sessions without the need for any passwords or any other types and kinds of credentials. This is illustrated in the screen below:
The screen below displays the "SARAHA" Mobile Application, which can covertly send all your phone contacts to the Cyber attacker without your knowledge:
Other extraneous items one can search for by using the Burp Suite software package include the following:
FREE role-guided training plans
Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.
- Insufficient Authorization/Authentication o Improper Certificate Validation
- Web Services
- How the mobile app works in a pentesting environment
- Any APIs which are used
Conclusion
In this article, we discovered how to pentest mobile applications using Burp Suite, how to install it, and what kinds of information and data it can show to the pentesting team. In the next series of articles, we will learn to pentest other vectors of mobile applications such as Web Services.
Posted: December 1, 2017
Kondah Hamza
Kondah Hamza is an expert in it security and a Microsoft MVP in enterprise security. He is also involved with various organizations to help them in strengthening of their security. Today, he offers his services mainly as Consultant, Auditor/Pentester and Independent Trainer with Alphorm.com.
- Pentesting mobile applications with Burpsuite
- Penetration testing steps: How-to guide on pentesting
- How does automated penetration testing work?
- Intelligence-led pentesting and the evolution of Red Team operations
- Red Teaming: Taking advantage of Certify to attack AD networks
- How ethical hacking and pentesting is changing in 2022
- Ransomware penetration testing: Verifying your ransomware readiness
- Red Teaming: Main tools for wireless penetration tests
- Fundamentals of IoT firmware reverse engineering
- Red Teaming: Top tools and gadgets for physical assessments
- Red teaming: Initial access and foothold
- Top tools for red teaming
- What is penetration testing, anyway?
- Red Teaming: Persistence Techniques
- Red Teaming: Credential dumping techniques
- Top 6 bug bounty programs for cybersecurity professionals
- Tunneling and port forwarding tools used during red teaming assessments
- SigintOS: Signal Intelligence via a single graphical interface
- Top tools for mobile android assessments
- Top tools for mobile iOS assessments
- Red Team: C2 frameworks for pentesting
- Inside 1,602 pentests: Common vulnerabilities, findings and fixes
- Red teaming tutorial: Active directory pentesting approach and tools
- Red Team tutorial: A walkthrough on memory injection techniques
- Python for active defense: Monitoring
- Python for active defense: Network
- Python for active defense: Decoys
- How to write a port scanner in Python in 5 minutes: Example and walkthrough
- Using Python for MITRE ATT&CK and data encrypted for impact
- Explore Python for MITRE ATT&CK exfiltration and non-application layer protocol
- Explore Python for MITRE ATT&CK command-and-control
- Explore Python for MITRE ATT&CK email collection and clipboard data
- Explore Python for MITRE ATT&CK lateral movement and remote services
- Explore Python for MITRE ATT&CK account and directory discovery
- Explore Python for MITRE ATT&CK credential access and network sniffing
- Top 10 security tools for bug bounty hunters
- Kali Linux: Top 5 tools for password attacks
- Kali Linux: Top 5 tools for post exploitation
- Kali Linux: Top 5 tools for database security assessments
- Kali Linux: Top 5 tools for information gathering
- Kali Linux: Top 5 tools for sniffing and spoofing
- Kali Linux: Top 8 tools for wireless attacks
- Kali Linux: Top 5 tools for penetration testing reporting
- Kali Linux overview: 14 uses for digital forensics and pentesting
- Top 19 Kali Linux tools for vulnerability assessments
- Explore Python for MITRE ATT&CK persistence
- Explore Python for MITRE ATT&CK defense evasion
- Explore Python for MITRE ATT&CK privilege escalation
- Explore Python for MITRE ATT&CK initial access
- Top 18 tools for vulnerability exploitation in Kali Linux
- Explore Python for MITRE PRE-ATT&CK, network scanning and Scapy
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, ISC2, Cisco, Microsoft and more!