How To Capture Non-Proxy Aware Mobile Application Traffic (IOS & Android) Xamarin/Flutter -Pentesting

Background

With emerging technologies, Developers tend to write code in one language and want to replicate it for all the iOS, Android, web platforms, etc.

Flutter/Xamarin gives the capability to do so.

That means developers write code once and apply it to all the iOS, Android, web platforms, macOS (Windows and Linux are still under development), and even Wear OS.

But Flutter/Xamarin framework validates the secure connections and honors the Proxy settings in a different fashion when compared to apps written in dex). This signifies even though we set proxy in mobile with burpsuite SSL certificate, we will not be able to capture the traffic. So we need to set up an OpenVPN server (which we can control) and capture the HTTPS traffic through it.

Let’s get started….

We will be capturing requests on Kali VM. The only thing we will be required to capture HTTPS traffic is a WIFI adapter (only in the case of VMware).

The above adapter will cost you around 10$

pro tip: we can also use this adapter for wifi hacking.

Configuring Kali Linux to Setup Open VPN, IP tables, and Burpsuite :

We can download the open VPN installation file from the below Github repo

curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh

Then we need to give the read-write permission to the OpenVPN file

chmod +x openvpn-install.sh

After Giving the permission we need to run and configure OpenVPN

sudo ./openvpn-install.sh

  1. First, we need to give the (wlan0) host IP of the machine (we can get it by ifconfig)

In my case 192.168.0.138

2. Do you want to enable IPv6 support (NAT)? [y/n]: n

3. What port do you want OpenVPN to listen to?
1) Default: 1194
2) Custom
3) Random [49152–65535]
Port choice [1–3]: 1

4. What protocol do you want OpenVPN to use?
UDP is faster. Unless it is not available, you shouldn’t use TCP.
1) UDP
2) TCP
Protocol [1–2]: 1

5. What DNS resolvers do you want to use with the VPN?
1) Current system resolvers (from /etc/resolv.conf)
2) Self-hosted DNS Resolver (Unbound)
3) Cloudflare (Anycast: worldwide)
4) Quad9 (Anycast: worldwide)
5) Quad9 uncensored (Anycast: worldwide)
6) FDN (France)
7) DNS.WATCH (Germany)
8) OpenDNS (Anycast: worldwide)
9) Google (Anycast: worldwide)
10) Yandex Basic (Russia)
11) AdGuard DNS (Anycast: worldwide)
12) NextDNS (Anycast: worldwide)
13) Custom
DNS [1–12]: 13
Primary DNS: 1.1.1.1

6. Do you want to use compression? It is not recommended since the VORACLE attack makes use of it.
Enable compression? [y/n]: n

7. Do you want to customize encryption settings?

Customize encryption settings? [y/n]: n

Okay, that was all needed. We are ready to set up the OpenVPN server now.

In the end, we just need to give the client name and configuration file password

We should now be able to start open VPN server

OpenVPN status

Setting up IP tables in Kali Linux :

We first need to redirect all the traffic from port 80 to the Burpsuite proxy

sudo iptables -t nat -A PREROUTING -i tun0 -p tcp — dport 80 -j DNAT — to-destination 192.168.0.138:8888

Then, We need to redirect all the traffic from port 443 to the Burpsuite proxy

sudo iptables -t nat -A PREROUTING -i tun0 -p tcp — dport 443 -j DNAT — to-destination 192.168.0.138:8888

sudo iptables -t nat -A POSTROUTING -s 192.68.0.138/24 -o wlan0 -j MASQUERADE

Setting up the listener in burpsuite :

Listen on the host machine IP (wlan0)

Listening on burpsuite

Enable invisible proxy

Enabling Invisible Proxy

Finally Configuring Mobile Device IOS/Android to capture HTTPS Traffic

First, we need to add a burpsuite SSL certificate in the mobile device as root authority.

Then, We can download the OpenVPN application from playstore and add the OpenVPN config file (We can get the configuration file from the installation directory) as below

Now we should be able to capture HTTPS traffic

Conclusion :

We started with configuring Kali Linux to setup the OpenVPN server, then we set up the iptables rule to send traffic from ports 80 & 443 to the burpsuite listener, and then we downloaded the OpenVPN application from playstore in mobile and configured the OpenVPN file. Finally, we were able to capture the HTTPS Traffic

Note:- This blog was for SSL unpinned application, In the next blog we will bypass the SSL pinning in a non-proxy-aware application

Happy Hacking!!!

--

--

Pentester - Application Security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store