How To Capture Non-Proxy Aware Mobile Application Traffic (IOS & Android) Xamarin/Flutter -Pentesting
With emerging technologies, Developers tend to write code in one language and want to replicate it for all the iOS, Android, web platforms, etc.
Flutter/Xamarin gives the capability to do so.
That means developers write code once and apply it to all the iOS, Android, web platforms, macOS (Windows and Linux are still under development), and even Wear OS.
But Flutter/Xamarin framework validates the secure connections and honors the Proxy settings in a different fashion when compared to apps written in dex). This signifies even though we set proxy in mobile with burpsuite SSL certificate, we will not be able to capture the traffic. So we need to set up an OpenVPN server (which we can control) and capture the HTTPS traffic through it.
Let’s get started….
We will be capturing requests on Kali VM. The only thing we will be required to capture HTTPS traffic is a WIFI adapter (only in the case of VMware).
TP-Link Nano USB WiFi Dongle 150Mbps High Gain Wireless Network Wi-Fi Adapter for PC Desktop and…
Amazon.in: Buy TP-Link Nano USB WiFi Dongle 150Mbps High Gain Wireless Network Wi-Fi Adapter for PC Desktop and…
The above adapter will cost you around 10$
pro tip: we can also use this adapter for wifi hacking.
Configuring Kali Linux to Setup Open VPN, IP tables, and Burpsuite :
We can download the open VPN installation file from the below Github repo
curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
Then we need to give the read-write permission to the OpenVPN file
chmod +x openvpn-install.sh
After Giving the permission we need to run and configure OpenVPN
- First, we need to give the (wlan0) host IP of the machine (we can get it by ifconfig)
In my case 192.168.0.138
2. Do you want to enable IPv6 support (NAT)? [y/n]: n
3. What port do you want OpenVPN to listen to?
1) Default: 1194
3) Random [49152–65535]
Port choice [1–3]: 1
4. What protocol do you want OpenVPN to use?
UDP is faster. Unless it is not available, you shouldn’t use TCP.
Protocol [1–2]: 1
5. What DNS resolvers do you want to use with the VPN?
1) Current system resolvers (from /etc/resolv.conf)
2) Self-hosted DNS Resolver (Unbound)
3) Cloudflare (Anycast: worldwide)
4) Quad9 (Anycast: worldwide)
5) Quad9 uncensored (Anycast: worldwide)
6) FDN (France)
7) DNS.WATCH (Germany)
8) OpenDNS (Anycast: worldwide)
9) Google (Anycast: worldwide)
10) Yandex Basic (Russia)
11) AdGuard DNS (Anycast: worldwide)
12) NextDNS (Anycast: worldwide)
DNS [1–12]: 13
Primary DNS: 188.8.131.52
6. Do you want to use compression? It is not recommended since the VORACLE attack makes use of it.
Enable compression? [y/n]: n
7. Do you want to customize encryption settings?
Customize encryption settings? [y/n]: n
Okay, that was all needed. We are ready to set up the OpenVPN server now.
In the end, we just need to give the client name and configuration file password
We should now be able to start open VPN server
Setting up IP tables in Kali Linux :
We first need to redirect all the traffic from port 80 to the Burpsuite proxy
sudo iptables -t nat -A PREROUTING -i tun0 -p tcp — dport 80 -j DNAT — to-destination 192.168.0.138:8888
Then, We need to redirect all the traffic from port 443 to the Burpsuite proxy
sudo iptables -t nat -A PREROUTING -i tun0 -p tcp — dport 443 -j DNAT — to-destination 192.168.0.138:8888
sudo iptables -t nat -A POSTROUTING -s 184.108.40.206/24 -o wlan0 -j MASQUERADE
Setting up the listener in burpsuite :
Listen on the host machine IP (wlan0)
Enable invisible proxy
Finally Configuring Mobile Device IOS/Android to capture HTTPS Traffic
First, we need to add a burpsuite SSL certificate in the mobile device as root authority.
Then, We can download the OpenVPN application from playstore and add the OpenVPN config file (We can get the configuration file from the installation directory) as below
Now we should be able to capture HTTPS traffic
We started with configuring Kali Linux to setup the OpenVPN server, then we set up the iptables rule to send traffic from ports 80 & 443 to the burpsuite listener, and then we downloaded the OpenVPN application from playstore in mobile and configured the OpenVPN file. Finally, we were able to capture the HTTPS Traffic
Note:- This blog was for SSL unpinned application, In the next blog we will bypass the SSL pinning in a non-proxy-aware application