Introduction

Contrary to what portswigger will have you believe, testing a mobile application with burp suite is not always easy. Of course, if there is no certificate pinning or if the app communicates over HTTP instead of HTTPS one does not need complex techniques but this is arguably a security risk in and of itself.

Certificate pinning

Normal testing requires some extra steps because applications check if the correct certificate is being used, this is not easy but it needs to be done because otherwise the burp suite certificate will not be able to intercept any traffic and you will only see errors in your burp suite.

For the certificate pinning I would like to refer you to my course on mobile android hacking:

https://www.udemy.com/course/android-bug-bounty-hunting-hunt-like-a-rat/?referralCode=E3BBB0B78A43F2AC760F

Burp suite mobile app testing

When the burp suite certificate is being accepted by the target and burp suite is no longer showing errors, the task is trivial. All the is left is to do is set the proxy of the mobile device to burp suite and capture traffic. We specifically looking for same issues that can be found on any API/back-end server such as SQLi, IDOR, BAC, ...

Burp Suite Mobile Assistant is a tool to facilitate testing of iOS apps, although I must admit I never used it. It supports the following key functions:

• It can modify the system-wide proxy settings of iOS devices so that HTTPS traffic can be easily redirected to a running instance of Burp.
• It can attempt to circumvent TLS certificate pinning in selected apps, allowing Burp Suite to break their HTTPS connections and intercept, inspect and modify all traffic.

This still requires a jailbroken device however.