Pentesting mobile applications with Burpsuite

Kondah Hamza

Securing mobile applications is one of the most important issues today, especially with the continuing evolution of sophisticated cyber threats which are becoming very covert today.

Thus, the pentesting of mobile applications has become a necessity to provide an adequate level of security to not only customers but to businesses and corporations whose respective sales teams are constantly on the road.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Figure 1: Mobile Malware: Threat Statistics – McAfee Labs 2016

In this article, we will discover how to pentest mobile applications using Burp Suite, one of the more powerful tools used today by pentesting teams.

Burp Suite is one of the most widely used software packages for not only pentesting web applications but, for pentesting mobile applications as well. It is designed for the hands-on penetration tester and has a host of functionalities that help perform various Security related tasks depending on the environment in which it is being used.

The tools available on Burp suite are as follows:

For more information about Burp Suite you can find an informative article here:

Figure 2: Architecture of Burp Suite

How to install Burp Suite

Burp Suite is by default installed in Kali Linux, but it can be used on any platform. More information can be found here: https://portswigger.net/burp/

After running Burp Suite, the following screen will appear:

Next, click on "Start," as seen on the screen below:

From here, go to the Proxy tab then select the "Options" button:

Click on the interface (by default it is 127.0.0.1), and then:

  1. Click on edit.
  2. Choose "all interfaces."
  3. Click on ok.

These steps are illustrated below:

After this, you have to your mobile phone ready and then choose "Settings."

IMPORTANT: You must be on the same wireless network.

To do this, on the settings menu go to the Wi-Fi selection:

  1. Choose your wireless network.
  2. Select Advanced Settings.
  3. Set the proxy option to manual:

Once the above step has been accomplished, enter the IP Address of your machine and the listening port of Burp Suite (by default this is 8080). This is illustrated in the screen below:

Once the above has been accomplished:

  1. Navigate to http://burp suite to download burp suite certificate to be able to intercept SSL traffic.
  2. Click on CA certificate and rename the file to "cacert.cer":

Once the above has been done, go to the location of the file and open it, and from there, the installation will automatically run.

IMPORTANT: Make sure to choose VPN and applications:

Once you open a mobile app on your Smartphone, you can then intercept all the traffic between your Smartphone and the web server of which you are currently accessing. This is illustrated in the screen below:

What to look for in the intercepted traffic log

Here is what to look for in these kinds of log files:

The following example clearly demonstrates that there is no encrypted traffic (SSL), This means that a Cyber attacker who is covertly on the network can intercept the username/password very easily. This is demonstrated on the screen below:

The interception of Session Cookies allows the Cyber attacker to hijack the victim's sessions without the need for any passwords or any other types and kinds of credentials. This is illustrated in the screen below:

The screen below displays the "SARAHA" Mobile Application, which can covertly send all your phone contacts to the Cyber attacker without your knowledge:

Other extraneous items one can search for by using the Burp Suite software package include the following:

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Conclusion

In this article, we discovered how to pentest mobile applications using Burp Suite, how to install it, and what kinds of information and data it can show to the pentesting team. In the next series of articles, we will learn to pentest other vectors of mobile applications such as Web Services.

Posted: December 1, 2017

Kondah Hamza

Kondah Hamza

Kondah Hamza is an expert in it security and a Microsoft MVP in enterprise security. He is also involved with various organizations to help them in strengthening of their security. Today, he offers his services mainly as Consultant, Auditor/Pentester and Independent Trainer with Alphorm.com.

Self-Paced Training - Sidebar Top A

Boot Camps – Sidebar Bottom B

Get certified and advance your career