Intercepting a tvOS App on Burpsuite

Intro: 

I've done countless pentests of websites and mobile apps, but when it comes to iOS or any Apple device app pentesting, I'll always have one or the other proxying issues. Mostly they are specific to TLS/not properly importing into Keychain or Burp acting weird (there are Java specific issues, compatibility issues with OpenJDK and Oracle Java i.e. if you are like me I've installed Oracle JDK on MacOS). So I thought I should write this up, hoping it will be useful to someone. 

Note: this article is for advanced users, I've not detailed every step.

At the time of writing this app, I found the following article very informative, I've pretty much followed the same steps, the article originally is meant for Charles Proxy but in the pentesting world who likes Charles Proxy ;-) 

https://medium.com/@rwgrier/setting-up-charles-proxy-on-apple-tv-tvos-1ce64ee39b07

Credit to the author above, however it is not up-to-date.

Pre-Reqs:

  • Non-Jailbroken AppleTV (supervised state, see steps below)
  • Burpsuite 
  • Apple Configurator 2
  • MacOS (however could apply to other OSes as well)

Steps:

Step 1 - Get the iDevice in a Supervised state on Apple Configurator. (Prepare will reset the iDevice into factory).

Step 2 - Create a new session on Burp, set the listener with a binding as LocalIPAddress:Port (with Certificate settings as "Generate CA-Signed per-host certificates)

Step 3 - Export the Certificate and Import, it into the keychain as a "System" certificate. Accept it as trusted.

Step 4 - Ensure Burp proxying is working. i.e. use chrome and proxy if it allowing requests on a known / popular website like Google.com. If it is then the proxy is not throwing any TLS errors etc.

Step 5 - Create a new profile on Apple Configurator, add the cert, that we added to the Keychain. Add the machine IP address in the Global Proxy settings. Remember in my case I had the iDevice and macOS on the same Raspberry PI WiFI AP.

Step 6 - Add the profile into the iDevice from the Configurator. Note this will be installed and if you navigate to Settings > General > Profiles you should see your new profile on the iDevice. On the About menu the "Certificate Trust Settings" should appear and you should see "PortSwigger CA" as trusted.

Learnings:

1. Always start a new burp session.






Comments

Anonymous said…
Thanks this works for HTTP but somehow still seeing boringssl issues -- CA pinning? Is there a way to bypass that too?
9:06 PM
Krupal Bylaiah said…
If any HTTPS app/service is not working then it's again to do with the config, like go back to configurator ensure the device is supervised. If other apps are working over HTTPS then it definitely cert pinning, if it's cert pinning then find what is the way they have implemented cert pinning, they use the bypass methods just like any other iOS apps. Identifying the way they have implemented is key.
12:44 PM
Post a Comment

Popular posts from this blog

The correct way to install Jython (for Burpsuite)

You need to install Jython the correct way in order to ensure some of the Burp plugins work correctly. Some of these Burp plugins depend on Python libraries for e.g. requests, so installing Jython and then using  $ wget https://repo1.maven.org/maven2/org/python/jython-installer/2.7.2/jython-installer-2.7.2.jar $ java -jar jython-installer-2.7.2.jar -s -d /path/to/install/jython -t standard Further for e.g. if you need requests install it like this: Download requests-2.25.1.tar.gz from the official repo ( https://pypi.org/project/requests/#files ), then go to that directory in terminal, and type the following command, java -jar /Users/brutus/Downloads/jython-standalone-2.7.2.jar setup.py install
Read more

RFID cloning with Proxmark3 Easy

Image
In this post, I would like to explain how in a recent Red Team engagement, I successfully managed to clone an RFID Access Control card and gained entry into the premise. #TheKit The client was using HiD 125khz cards. I used "Proxmark 3 Easy" which is a low cost RFID cloning kit, is a stripped down version of the real “ Proxmark 3 RDV 2 ”. The "Proxmark3 easy" does not support several things like battery, relaying and doesn't have an amplifier, also it has a smaller memory. But the device is quite sufficient during a Red Team Physical engagement. It looks something like this when you order on Amazon. I wanted to build a mobile RFID cloning kit and use it for my Red Team engagements, but note with this setup the scanning distance of 6cm is useless in real engagements, I'm not that brave enough and you really have to get up close to clone a card so the setup initially didn't work, however I got lucky and me and my partner found a lost targe
Read more

Extracting an IPA; App distributed through Testflight

So in one of my iOS app pentest the app was distributed on TestFlight, I needed a clean IPA to makesure, I review the app after unpacking it. The option was for me to use a Jailbroken device and use Ext3nder, which allows the app to be re-packaged. Once you do that you could use SCP to download the IPA and use it to analyse or side load through xCode.
Read more