iOS Burp Suite Configuration

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Installing the Burp Certificate on iOS Devices

For secure web traffic analysis and SSL pinning on iOS devices, the Burp Suite can be utilized either through the Burp Mobile Assistant or via manual configuration. Below is a summarized guide on both methods:

Automated Installation with Burp Mobile Assistant

The Burp Mobile Assistant simplifies the installation process of the Burp Certificate, proxy configuration, and SSL Pinning. Detailed guidance can be found on PortSwigger’s official documentation.

Manual Installation Steps

  1. Proxy Configuration: Start by setting Burp as the proxy under the iPhone’s Wi-Fi settings.
  2. Certificate Download: Navigate to http://burp on your device’s browser to download the certificate.
  3. Certificate Installation: Install the downloaded profile via Settings > General > VPN & Device Management, then enable trust for the PortSwigger CA under Certificate Trust Settings.

Configuring an Interception Proxy

The setup enables traffic analysis between the iOS device and the internet through Burp, requiring a Wi-Fi network that supports client-to-client traffic. If unavailable, a USB connection via usbmuxd can serve as an alternative. PortSwigger’s tutorials provide in-depth instructions on device configuration and certificate installation.

Transparent Proxying via OpenVPN + iptables REDIRECT

If the target app ignores the configured HTTP proxy, an alternative is to place the iOS device behind a researcher-controlled VPN gateway and transparently redirect the traffic into Burp or mitmproxy.

This is not a certificate pinning bypass by itself. It only solves the network plumbing so the device traffic reaches your interception proxy without configuring a per-app or per-device proxy. If the app performs real certificate pinning, HTTPS decryption will still fail until pinning is bypassed separately.

Typical flow:

  1. Run an OpenVPN server on a Linux host and connect the iOS device so its traffic arrives on tun0.
  2. Bind Burp or mitmproxy to the VPN listener IP on port 8080.
  3. Enable invisible proxying in Burp because redirected clients are not proxy-aware and will talk as if they were connecting directly to the destination.
  4. Redirect TCP 80 and 443 arriving on tun0 to the local proxy listener.
  5. Add a POSTROUTING MASQUERADE rule on the egress interface so proxied traffic can leave the gateway and replies return through the VPN.
  6. Install and trust the interception proxy CA on the iOS device so apps that rely only on the system trust store accept the generated leaf certificates.

Example rules:

# Redirect VPN client traffic into the local interception proxy
iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 443 -j REDIRECT --to-ports 8080

# Allow VPN client traffic to egress back to the Internet
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Notes:

  • This is useful when you want forced interception without changing the target app or configuring an explicit proxy in iOS Wi-Fi settings.
  • Redirecting 443 to Burp only works for apps that trust the installed CA or for apps where TLS validation / pinning has already been bypassed.
  • The upstream repository example script takes an IP and appends /24 in the POSTROUTING rule. In practice, use the actual VPN client subnet instead of assuming a fixed /24.
  • If you use Burp, enable Proxy –> Options –> Edit listener –> Request handling –> Support invisible proxying.
  • mitmproxy can be used in the same layout if it is bound to the VPN listener IP and transparent-mode requirements are satisfied.

Advanced Configuration for Jailbroken Devices

For users with jailbroken devices, SSH over USB (via iproxy) offers a method to route traffic directly through Burp:

  1. Establish SSH Connection: Use iproxy to forward SSH to localhost, allowing connection from the iOS device to the computer running Burp.

    iproxy 2222 22

  2. Remote Port Forwarding: Forward the iOS device’s port 8080 to the computer’s localhost to enable direct access to Burp’s interface.

    ssh -R 8080:localhost:8080 root@localhost -p 2222

  3. Global Proxy Setting: Lastly, configure the iOS device’s Wi-Fi settings to use a manual proxy, directing all web traffic through Burp.

Full Network Monitoring/Sniffing

Monitoring of non-HTTP device traffic can be efficiently conducted using Wireshark, a tool capable of capturing all forms of data traffic. For iOS devices, real-time traffic monitoring is facilitated through the creation of a Remote Virtual Interface, a process detailed in this Stack Overflow post. Prior to beginning, installation of Wireshark on a macOS system is a prerequisite.

The procedure involves several key steps:

  1. Initiate a connection between the iOS device and the macOS host via USB.
  2. Ascertain the iOS device’s UDID, a necessary step for traffic monitoring. This can be done by executing a command in the macOS Terminal:
$ rvictl -s <UDID>
Starting device <UDID> [SUCCEEDED] with interface rvi0
  1. Post-identification of the UDID, Wireshark is to be opened, and the “rvi0” interface selected for data capture.
  2. For targeted monitoring, such as capturing HTTP traffic related to a specific IP address, Wireshark’s Capture Filters can be employed:

Burp Cert Installation in Simulator

  • Export Burp Certificate

In Proxy –> Options –> Export CA certificate –> Certificate in DER format

  • Drag and Drop the certificate inside the Emulator
  • Inside the emulator go to Settings –> General –> Profile –> PortSwigger CA, and verify the certificate
  • Inside the emulator go to Settings –> General –> About –> Certificate Trust Settings, and enable PortSwigger CA

Congrats, you have successfully configured the Burp CA Certificate in the iOS simulator

Tip

The iOS simulator will use the proxy configurations of the MacOS.

MacOS Proxy Configuration

Steps to configure Burp as proxy:

  • Go to System Preferences –> Network –> Advanced
  • In Proxies tab mark Web Proxy (HTTP) and Secure Web Proxy (HTTPS)
  • In both options configure 127.0.0.1:8080

  • Click on Ok and the in Apply

References

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks