How to examine iOS network traffic over an iOS cable.

Introduction

In this blog post, I'll be showing you how to route your iOS device network traffic through Burp Suite proxy listener over your iOS cable, without the need of a local network proxy.

In a normal case, a penetration tester that wants to view the network traffic of a given iOS application would need to connect their phone to their Burp proxy listener that is exposed to the entire local network. Since the listener is exposed to the local network, this creates operational security issues if on a public network, and functional issues if on a network that disallows local servers. This second type of problem is extremely common on university networks, as it was in my case when I first developed this method.

Using this guide will allow you to view your iOS device traffic without exposing your Burp Suite proxy listener to the local network, allowing you to test iOS applications securely and quickly, especially when traveling. As an added bonus, I provide a guide on how to overcome Certificate Pinning, which is a way in which iOS developers block their network traffic from being routed through proxy listeners.

Tools you'll need.

• Burp Suite

• A PC capable of running ssh over the command line. This is natively supported on macOS and linux, but you will need to install openSSH on most Windows installations.

• A Jailbreakable iOS device. This is in general one of the few ways to pentest iOS application that enforce certificate pinning. You can check to see if your device is jailbreakable here.

Tutorial

1. Begin by ensuring that your iOS device is Jailbroken and can access Cydia. This step is necessary in order to successfully follow this tutorial. This is not possible on all iOS devices and software versions, but new Jailbreak methods are constantly being researched, so keep yourself updated.

2. Install the following .deb files, or "tweaks" on your Jailbroken iOS device. Tutorials on how to install these files can be found elsewhere on the internet.

• openSSH

• SSL Kill Switch 2 (This allows your device to overcome the Certficate Pinning that many iOS application enforce in order to prevent security researchers from viewing their network traffic.)

3. Go into your iOS device settings, ensure that your device and your PC are on the same wifi network, and set the manual proxy values to "127.0.0.1" for the host and "8080" for the port.



4. In your iOS settings, navigate to the SSL Killer preferences and ensure the switch marked "Disable Certificate Validation" is turned on.



5. Install Burp Suite on your computer, you can use the community edition found here.

6. Download and install the libimobiledevice binaries onto your device. These binaries will allow you to communicate with your jailbroken iOS device through ssh. Windows binaries can be found here.

7. Open and start Burp Suite, and ensure that the proxy server is running on 127.0.0.1, port 8080.



8. Connect your iOS device to your PC using an official Apple cable.

9. Open a terminal window, change your directory to wherever you downloaded the libimobiledevice binaries, and run the following command:

iproxy 2222 22



10. In a separate terminal window, run the following command:

ssh root@127.0.0.1 -p 2222 -R 127.0.0.1:8080:127.0.0.1:8080



11. This will prompt you for you iOS device's root password, which by default is "alpine". It is generally recommended that you change this using the "passwd" command once you are connected.

12. These two commands will first instruct iproxy to route all traffic on your PC directed at port 2222 to your iOS device's ssh listener on port 22. SSH will then connect to this local 2222 port, and instruct the device to begin routing all network traffic routed at 127.0.0.1:8080 to your PC's localhost network.

13. Once these commands have been run and the ssh command has connected to your iOS device successfully, navigate to "127.0.0.1:8080" on your iOS device.



14. If all the steps above were done correctly, and your Burp Proxy is running correctly on your PC, then you should be greeted with the Burp landing page, shown above. You may now follow the official Burp instructions on installing the configuration certificate here.

15. Once this is completed, try to navigate to some SSL-secured site and test if you can see the traffic in your Burp Proxy window. If everything was done correctly, it should have no problem connecting. If you do have errors, try closing the application and opening it again. There are a few applications however that the ssl-killer application does not seem to work with. If successful, you should start seeing traffic like below:

If you have any trouble with this tutorial, feel free to reach out to me at healdb2@gmail.com for support.