0

I've been using Burp Suite to inspect HTTP traffic but for HTTPS traffic I've been unable to do so. I tried extracting Burps certificate and dropping it into the simulator and installing it, but my network calls still seem to be silently failing.

Burp is the simplest option so I'd like to know how to get it to work.

Samhan Salahuddin
  • 2,140
  • 1
  • 17
  • 24
  • Personally I would recommend trying Charles, especially if you can get a company to pay for it. I've used Burp, which is very good for what it is, but Charles is commercial software and it shows. – funroll Mar 26 '14 at 10:03

1 Answers1

0

Check out the shell script written by the good folks over at Charles Proxy.

It installs automatically to the iPhone simulator. You should be able to use the same approach for Burp.

You can email yourself the cert to install it on a device. Another option is to modify your app to ignore the usual checks for the SSL cert, but don't forget to take it out for production.

Also the book Hacking and Securing iOS applications has tons of awesome advice if you're into stuff like this.

Here's another answer that must be where I got the idea of using the Charles script: Adding a self-signed certificate to iphone Simulator?

And another answer that might be relevant: iPhone TrustStore CA certificates

Community
  • 1
  • 1
funroll
  • 35,925
  • 7
  • 54
  • 59
  • Nope. The shell script I link to is mostly to show how to install the cert into the simulator. To make sure you're doing it correctly. I believe you can use it to install the Burp cert without modifying the command file too much. – funroll Mar 26 '14 at 10:08
  • The shell script is an SQLite DB insert command with two Hex values. What do i replace to make it insert Burp's cert ? – Samhan Salahuddin Mar 26 '14 at 10:09
  • I've tried converting the hex to ascii .. its been deliberately obfuscated .. its some apple plist format file. – Samhan Salahuddin Mar 26 '14 at 10:17
  • the table has 4 columns sha1,subj,tset and data. They're insert 4 hex values for each. Do you have any idea how we can get the necessary values for a given certificate. – Samhan Salahuddin Mar 26 '14 at 10:39
  • Yikes I didn't realize they had obfuscated it. I knew their script worked and assumed it could be re-purposed... not sure what to tell you. – funroll Mar 26 '14 at 20:17
  • I have dug further into it. It doesnt seem like deliberate obfuscation. What you need to do is that you need to install the certificate on an iOS device. Extract its SQLite database and look up the row for your certificate. Then you need to insert the same row in your simulators database. The format is a bit opaque and so this might be what they did and not deliberate obfuscation. – Samhan Salahuddin Mar 27 '14 at 11:37