iOS Assessments with Burp + iFunBox + SQLite
In January, I wrote a post on performing Android Assessments with GenyMotion + Burp so I thought it was about time I wrote a similar post on performing iOS assessments.
In the instance above, the IP address of the testing machine is 192.168.1.2. Set the proxy settings within iOS to pass all web traffic to the testing machine. Within your iOS device, go to Settings -> Wi-Fi. Click on your current Wi-Fi network. There should be configuration settings to set the HTTP Proxy if you scroll to the bottom of the page that displays all of the current Wi-Fi information. Switch the HTTP Proxy setting to ‘Manual’ and use the IP address of the testing machine as the ‘Server’ (in our case, 192.168.1.2) and set the port to 8080.
Launch Burp Suite Pro or Free. Click on the top Proxy tab then click on the Options secondary tab. Lastly, click on the “Add” button to add a new proxy listener.
Specify the listener port that was defined within the iOS device (in my case, port 8080). Also, click on the “Specific address” radio button and from the drop down select the IP address specified within the iOS device (in my case it was 192.168.1.2). When complete click ‘OK’ to return to the previous screen.
Verify that the new proxy listener has been added and that a check box is located next to the listener to ensure it is enabled.
If all of the settings were configured properly, Burp should now see web traffic passed to it by the iOS device.
At this point, all web traffic should be passing from the iOS device to Burp. However, if any applications are communicating over HTTPS, the iOS device will throw errors. This happens because the Burp Certificate Authority (CA) Certificate is not yet trusted by the iOS device. Starting with Burp 1.6, the method of retrieving the Burp certificate is the same regardless of whether you are using Burp Free or Burp Pro.
Click on the Proxy tab and the Options secondary tab. Click on the “CA certificate…” button.
Export as “Certificate in DER format”. Click “Next”. Name the Certificate
The easiest way to get the certificate onto your iOS device is to email the Burp certificate to yourself on your iOS device. iOS will prompt you for installing the certificate once you open the certificate attachment within your email. Click “Install”.
On the next screen click “Install” again.
Lastly, iOS will require you to enter your passcode or to set a passcode if you have not already done so.
Once the certificate is successfully installed, iOS should return you to a screen that has a green “Trusted” check for the PortSwigger certificate. You should now be able to capture encrypted traffic between your iOS device/application and its corresponding server.
For the purposes of demonstrating iFunBox’s capabilities, I will be using the ESPN Score Center application downloaded from the iTunes Store.
Use an iOS hardware data cable to connect your iOS device to your testing machine and launch iFunBox. iFunBox should detect the iOS device and display a few options under the device.
Expanding the tree under “User Applications” displays all of the installed applications on the device.
Double-click on the “SportsCenter” application, revealing the file system behind the application.
This application allows you to drill down into the file system of the application (not the operating system) and view all of the files, logs, and databases that could potentially store sensitive information without having to jailbreak your iOS device.
You can download SQLite Database Browser from here.
In tandem with iFunBox, SQLite Database Browser can be used to view databases located within application file systems in order to determine the types of information that are being stored by the application.
In the example below, there are two databases located within the application.
These databases can be opened one at a time within iFunBox (the database will open in SQLite Database Viewer if you have it installed) or downloaded to your testing machine.
Downloading the “ApplicationCache.db” database and opening it within SQLite Database Viewer gives you a view of the database structure as well as the data that resides within.
I hope this information is useful and eases some of the pain of iOS application assessments. I’d love to hear your thoughts.