06 Aug, 2014

iOS Assessments with Burp + iFunBox + SQLite

by Abdullah Munawar

In January, I wrote a post on performing Android Assessments with GenyMotion + Burp so I thought it was about time I wrote a similar post on performing iOS assessments.

Aside from a company by the name of Virtual that has a private beta on a virtualization platform for iOS, there are no other virtualization options.

The three options for performing an iOS assessment at the moment are to use the iOS simulator that comes with XCode (only works with Macs, requires the application’s code), a jailbroken/developer licensed iOS device, or a non-jailbroken iOS device with iFunBox (which I will go over in this post).

For this blog post I will be using the following tools:

  • Locked iPhone 4s running iOS 7.1.2
  • Burp Free 1.6
  • Burp Pro 1.6.03
  • SQLite Database Browser 3.2.0
  • iFunBox 1.5 for Mac

The sections in this post will be as follows:

  • Configuring Burp and an iOS Hardware Device to Pass Traffic Through Burp
  • Installing the Burp Cert on an iOS Device in Order to View Encrypted Traffic
  • Using iFunBox to View iOS Device File System
  • Using SQLite Database Browser to View Information Stored in Application Database

Configuring Burp and an iOS Hardware Device to Pass Traffic Through Burp

For performing security assessments against applications in development as well as in production, it is necessary to view the web traffic that is passed back and forth between the client (the iOS application installed on an end device) and its corresponding server. It is possible to configure an iOS device to pass all of its web traffic through a web proxy such as Burp. Verify the current IP address of the testing machine.

In the instance above, the IP address of the testing machine is 192.168.1.2. Set the proxy settings within iOS to pass all web traffic to the testing machine. Within your iOS device, go to Settings -> Wi-Fi. Click on your current Wi-Fi network. There should be configuration settings to set the HTTP Proxy if you scroll to the bottom of the page that displays all of the current Wi-Fi information. Switch the HTTP Proxy setting to ‘Manual’ and use the IP address of the testing machine as the ‘Server’ (in our case, 192.168.1.2) and set the port to 8080.

Launch Burp Suite Pro or Free. Click on the top Proxy tab then click on the Options secondary tab. Lastly, click on the “Add” button to add a new proxy listener.

Specify the listener port that was defined within the iOS device (in my case, port 8080). Also, click on the “Specific address” radio button and from the drop down select the IP address specified within the iOS device (in my case it was 192.168.1.2). When complete click ‘OK’ to return to the previous screen.

Verify that the new proxy listener has been added and that a check box is located next to the listener to ensure it is enabled.

If all of the settings were configured properly, Burp should now see web traffic passed to it by the iOS device.

Installing the Burp Cert on an iOS Device in Order to View Encrypted Traffic

At this point, all web traffic should be passing from the iOS device to Burp. However, if any applications are communicating over HTTPS, the iOS device will throw errors. This happens because the Burp Certificate Authority (CA) Certificate is not yet trusted by the iOS device. Starting with Burp 1.6, the method of retrieving the Burp certificate is the same regardless of whether you are using Burp Free or Burp Pro.

Click on the Proxy tab and the Options secondary tab. Click on the “CA certificate…” button.

Export as “Certificate in DER format”. Click “Next”. Name the Certificate .cer. Save it in an easily accessible location.

The easiest way to get the certificate onto your iOS device is to email the Burp certificate to yourself on your iOS device. iOS will prompt you for installing the certificate once you open the certificate attachment within your email. Click “Install”.

On the next screen click “Install” again.

Lastly, iOS will require you to enter your passcode or to set a passcode if you have not already done so.

Once the certificate is successfully installed, iOS should return you to a screen that has a green “Trusted” check for the PortSwigger certificate. You should now be able to capture encrypted traffic between your iOS device/application and its corresponding server.

Using iFunBox to View iOS Device File System

For the purposes of demonstrating iFunBox’s capabilities, I will be using the ESPN Score Center application downloaded from the iTunes Store.

Use an iOS hardware data cable to connect your iOS device to your testing machine and launch iFunBox. iFunBox should detect the iOS device and display a few options under the device.

Expanding the tree under “User Applications” displays all of the installed applications on the device.

Double-click on the “SportsCenter” application, revealing the file system behind the application.

This application allows you to drill down into the file system of the application (not the operating system) and view all of the files, logs, and databases that could potentially store sensitive information without having to jailbreak your iOS device.

Using SQLite Database Browser to View Information Stored in Application Database

You can download SQLite Database Browser from here.

In tandem with iFunBox, SQLite Database Browser can be used to view databases located within application file systems in order to determine the types of information that are being stored by the application.

In the example below, there are two databases located within the application.

These databases can be opened one at a time within iFunBox (the database will open in SQLite Database Viewer if you have it installed) or downloaded to your testing machine.

Downloading the “ApplicationCache.db” database and opening it within SQLite Database Viewer gives you a view of the database structure as well as the data that resides within.

I hope this information is useful and eases some of the pain of iOS application assessments. I’d love to hear your thoughts.