iOS Application Security | Part 8-A | Getting started with Traffic Analysis of iOS applications - Part 1

Forensics
1

Introduction

This article opens gates for one of the main sections of iOS application assessment i.e. assessment of the network traffic. Assessment of the network traffic of a mobile application is known as Traffic analysis. Let’s get started with this interesting and important part of iOS application assessment.

Choosing a tool for Traffic Analysis

In order to help us carry out traffic analysis on mobile and web applications, many tools are publicly available for getting our job done. Some of the famous ones are Burp Suite, OWASP Zed Attack Proxy (ZAP), Fiddler proxy, Charles proxy and many more.



For carrying out traffic analysis, we would prefer a stable and reliable tool which can capture the application traffic for most of the communication protocols used by the applications today. Extensibility of the tool is also important as we would need the same tool to work with some tweaks implemented.

The most widely used client side proxy tool is Burp Suite. For getting it work, Java Runtime Environment (JRE) needs to be there on our computer. So, Burp Suite is platform independent too. It's community version is free of cost but has less features than its paid version i.e. Burp Suite Professional. The professional version is available for use by individuals or an organization. It is preferred to use the Professional version due to presence of the Scanner and other features in it.

Sw8RGRut3Aq6RBmhpnEawD--f6iUYK3ih8DNLJyAPNeoLtrupLmOjB2mjzOtP_wDtxU1FvfskiCN4vMWdXD18-9TXFlQZwdHlG-SofqqqTP4TNN3XupB0qj1ZQn4L__wQ6RXyrzF.png797×401 25.3 KB


Understanding use of Burp Suite tools

Let us get an understanding of Burp Suite’s in-built tools.

  • Target - This tool contains the site map, with detailed information about the target applications. It lets to define the target scope so that it can be used by other tools to recognize the in-scope items. It consists of two tabs:
    • Site map
    • Scope

0B1ihq_l4xcZYG1hihrCl_VDXQD6DWTE9wt0o4gGfrlfKcy4cW-7mFZ6o6ZoMi4ZlcCPjHreM4G9WCuW0vTRkyQ_TLgdJoDcxB_T6YqX5f5rd5FpVc1dUL8H2N9iCEBY1dgefg0_.png1001×591 31.3 KB


  • Proxy - This tools does the main task for Burp Suite i.e to intercept, view and modify all requests and responses passing between the iPhone device and destination web servers. It consists of four tabs namely:
    • Intercept
    • HTTP History
    • WebSockets History
    • Options

36XhDxKwg0Jd3Y_N4Qis8cwEnBarqKFPzmaaif0sIpQrsNH8Djn6qlfHTFtFuerQkTrrKDYLL4zrBlTHpIECY8WRFSt0fC8LLYpjuPN8596AXUkFdlP2WphzFL6dopWS1N6s99Fq.png964×522 24.1 KB


  • Spider - This tool performs the task of spidering through the application i.e sending requests to all the URLs found in server’s responses recursively and lets us know some pages that we might miss out in manual assessment. It’s job is done by the two tabs:
    • Control
    • Options

rF-yzmk0r9Zg9mKwUGSFlC1lzJ3p3a5rKRjTtdrq8p1QVkqSFEWb2Isj5bdvl3JpH8h-mUoX0a7Ui-LE_G2LScI-6Hl3GlmBcxX5vwP8ng4XKO82qWInqOaYZjGzbGvL6435jlhu.png962×520 41 KB


  • Scanner - This is the tool for which Burp Suite Professional is paid for. It consists of vulnerabilities and their definitions which keep updating with new versions of Burp Suite. The vulnerabilities are scanned automatically by their most common detection techniques and reported back to the user. It comprises of five tabs:
    • Issue activity
    • Scan queue
    • Live Scanning
    • Issue definitions
    • Options

rhV1y7pD-Xtu3nKeWQSUa7vZ8JyJYHs4GTRMGcbG1_mVUVFYqls7zD6cxonf0UQ8ieEt113HAr5thZf9YALGOtSnN5A7qqy_7SEU0piqTfpuRTVfg0q1uXwfEAPSf1kfIDsTyP-3.png956×520 74.6 KB


  • Intruder - This tool is used for automated testing of attacks and payloads customized by us. The settings can be customized for testing all the requests and the required parameters. Its task is performed by the four tabs namely:
    • Target
    • Positions
    • Payloads
    • Options

owmtZEhJxoe5z1hHJ3ZQxzLpfnGbLsmz78pGQqNrXTJLeNPDrfG5bbSuj2ueRFDMuwbvRWlG9IU82hpQKhz3rJINHh7zyI4nnqkltDdpzWqYKyYvh_OMYPdlabIl5MFzSdpYJ2-L.png961×520 42.1 KB


There are four types of attacks offered by the Burp Suite Intruder:
    • Sniper - This attack is used to test the response from the server against a single set of payloads on a particular parameter. It is mostly used to check possibility of Brute Force attacks, implementation of Rate Limiters and other Enumeration stuff.
    • Battering ram - This attack is similar to Sniper but allowing multiple insertion points within a request. It is used for testing with the same payload in multiple insertion points.
    • Pitchfork - This attack is used to test two or more insertion points with one payload from each set of lists providing them.
    • Cluster bomb - This attack is used for testing with all possible permutations from the defined payload sets. It checks out the server’s response to all the possible combinations of applied payloads.

  • Repeater - This tool helps in obtaining proof of concepts from manual assessment of the requests. The requests stored in this tool can be forwarded to the server at any instance of time and the response can be analysed using filtering mechanisms built in the tool.

sC0NxjcXljWrkuULAcHHIyk1IXImQ_SDDvDfASZQCS_aOLVE31Kz7NHrWCD5yW6DBu5i3m5OUY5Hac4EmHDttfZ6pXQUQPzBIpqVO4DraZpSCRR0KGYP3dxzp9l0qXcX1m_Le7Lo.png964×523 25.5 KB



  • Sequencer - This tool is used for prediction purposes. It can capture the list of times either automatically or manually.The values can be analysed for randomness and checked for prediction of the next item in the list (if possible). It consists of three tabs:
    • Live capture
    • Manual load
    • Analysis options

d0vOzkNhONXYYQJxMrH4chKy_cLMKlafPjEPJ3bPLaHqS73Cl8xbQDjoyLCjcIgvLt-eZ6qFuIQfOWgzkVo3Zd-9jTuCt-nOcI6F-y_4LErBIz9NnUWJvT5WcNwptUHkPbh7uAu3.png962×523 26.8 KB


  • Decoder - This tool consists of popular encoding and decoding algorithms. It is used for conversion of values from one form to the other.

NHsPHtBv1EuB8A64WcThoIIU-56PDf9xx7xez9Ege5J5bdjwIbzMYxegypspwZ3B9W5Z4wxbbnxxP0HQavt-3HqLI7mwUnzTqChh30dt5_RGuPxZH5QnPF7iXzXnu2CKgAX49HZ3.png958×521 18.9 KB


  • Comparer - This tool is used to compare two pieces of information for addition, deletion or modification of data. For example, it might be used to check the difference in the server’s responses when the value of any of the parameter is changed in the request.

YTmzJN5AzQL2Lp709WorCgTzmV1FK8TisWPId5nHvupXE2PqrK9mJsvBSW3_jGzNRDB6uB_LxtqxXsgjYa9pqNfWV3xwcVEithxq54uB7JaEfmFKMCGosCW0V8lShdz_M_UlQQFW.png961×596 28.3 KB


  • Extender - This tool is used for extending the functionality of the Burp Suite inbuilt tools and tabs in order to quicken up testing. Burp Suite’s publicly available extensions can be downloaded from BApp Store and also extensions can be developed in Java, Python or Ruby. It is made up of four tabs:
    • Extensions
    • BApp Store
    • APIs
    • Options

T5NINMwnYL7muYlJ_tIpT9SayzLMe120e_tSDZlf0-zkRB_-y4juYyfZdk1JbdodX4jrAsd-5kmZ_PwcAqCzdvU_EH3RH_5EjShRtCzqrNNcDTA76jt-8uIACqBHbC8TS4nSlQSq.png959×593 102 KB


  • Project Options - This tool provides options for project related settings. The settings may be used to overwrite the user options or to specify rules for handling the server’s requests and responses for the current project. One useful and interesting tab is the Sessions tab which helps to carry out our assessment quickly smoothly by specifying macros for maintaining the user sessions of our target application. Other useful options include setting up Burp Collaborator server and scheduling tasks for Burp Suite. The tool comprises of four tabs:
    • Connections
    • HTTP
    • SSL
    • Sessions
    • Misc

3cdO4xd4SmQwrwM5owXpE7NMIC39SCE1ausLHGskWUCmDI_gIzmhT3wWBj6b4KjZFbJ-bthsztylfJ7AzvbwxtRsFu4Tq6cZN6SZM9Rg21TDX3gBLxnZh2dhYMKXFGTwOXBzCqud.png972×486 46.2 KB


  • User options - This tool is used to customize the interface of Burp Suite and also configure upstream server or platform authentication as required. It provides four tabs:
    • Connections
    • SSL
    • Display
    • Misc

C1NcNhdkFfZKYP38CyOEUQARX6T7sKJITK98TXuXoAOuA8AO5Rd6BiK6e7wq_g4tv3tg6G_uTxU2PSVUqFiekyefYEDYavL1afYM3Uo1Bo5qBlCg3dZEViF2KQvaJX8TdTjxHTuS.png964×487 41.8 KB


  • Alerts - This tool is used to log events and error messages from the Burp Suite tools and also the extensions. The alerts are very helpful in debugging tasks.

MN0-UEEqMZNKql5r9UwZ7iyTAVV9EVPBYjRKbKSWKdcLNQsntRdsTTHS0NUsX2-Po9qofEfdpihI2SMWZtFUX_1UklXlr8extcK9lxM2Hf0u_xsv4iDANKZhfeSgGYc3JgC-p69J.png1011×487 23.5 KB


Installing the mobile assistant

Burp Suite offers a mobile assistant to facilitate testing of iOS apps. It supports the following key functions:
  • It can modify the system-wide proxy settings of iOS devices so that HTTP(S) traffic can be easily redirected to a running instance of Burp.
  • It can make an attempt to circumvent SSL certificate pinning in selected apps, allowing Burp Suite to break their HTTPS connections and intercept, inspect and modify all traffic.

Installing the mobile assistant is easy. On the computer, start Burp Suite and configure to listen on any particular interface on a desired port. For example, in the screenshot, Burp Suite is configured to listen on 192.168.42.43 at port number 8282.

Conclusion

In this article, we have learnt about proxy tools that we can use for performing traffic analysis on mobile applications. We have got a healthy introduction to the Burp’s in-built suite of tools. Good use of these tools comes from practice. With every application we determine to secure, we will learn more and more about the use of these tools. In the next part of this section, we will learn to capture the network traffic of an iOS application.

Article Link: https://blog.lucideus.com/2019/04/ios-application-security-part-8-getting.html