Pentesting Non-Proxy Aware Mobile Apps Without Root or Jailbreak

Mobile app pentesting can be challenging, especially when dealing with non-proxy aware apps that don‘t respect device proxy settings. The usual solution is to root or jailbreak the mobile device to gain more control over the operating system and network traffic. However, rooting/jailbreaking is not always feasible or desirable due to warranty and security concerns.

Fortunately, there is an alternative way to proxy traffic from non-proxy aware mobile apps without requiring root or jailbreak access. The trick is to leverage a VPN connection to tunnel all the mobile device traffic through a VPN server, and then use iptables rules on the server to redirect the traffic to a proxy tool like Burp Suite. This allows you to intercept and modify the app‘s network communications for pentesting purposes.

In this guide, I‘ll walk you through the steps to set up this pentesting environment and demonstrate how to test a non-proxy aware app. Whether you‘re an Android or iOS user, this technique should work without needing to root or jailbreak your device. Let‘s get started!

Prerequisites

To follow along with this tutorial, you‘ll need:

  • A Linux or Windows PC/laptop to serve as the VPN and proxy host
  • A Linux virtual machine (VM) to run the VPN server and proxy – I‘m using Linux Mint in this guide
  • An Android or iOS mobile device to run the app being tested
  • Burp Suite (free or professional version) installed on the Linux VM

Step 1: Configure the Linux VM

First, let‘s set up our Linux VM to act as the VPN server and traffic redirector:

  1. In the VM settings, change the network adapter to Bridged mode so it gets its own IP address on the network.

  2. Install Burp Suite in the VM if you haven‘t already. The free version is sufficient for our purposes.

Step 2: Set up the VPN server

Next, we‘ll configure a VPN server in the Linux VM. We‘ll use OpenVPN as it‘s widely supported on various platforms. I‘ll provide an overview of the process here – for detailed instructions, check out this DigitalOcean guide.

  1. Install OpenVPN and Easy-RSA in the VM:

    sudo apt update && sudo apt install openvpn easy-rsa
  2. Initialize a PKI directory and generate a certificate authority (CA):

    make-cadir ~/openvpn-ca && cd ~/openvpn-ca
    vim vars # Edit certificate fields as desired
    source vars
    ./clean-all
    ./build-ca
  3. Generate certificates and keys for the VPN server and client:

    ./build-key-server server
    ./build-key client
    ./build-dh 
    openvpn —genkey —secret keys/ta.key
  4. Create the OpenVPN server configuration file:

    vim /etc/openvpn/server/server.conf

    Use this example configuration as a starting point. Be sure to specify the VM‘s actual network IP address.

  5. Start the OpenVPN service:

    sudo systemctl start openvpn@server
  6. Generate an OpenVPN client configuration file bundle:

    mkdir ~/client-configs/files
    cp /usr/share/easy-rsa/keys/ca.crt ~/client-configs/keys/
    cp /usr/share/easy-rsa/keys/client.key ~/client-configs/keys/
    cp /usr/share/easy-rsa/keys/client.crt ~/client-configs/keys/ 
    cp /usr/share/easy-rsa/keys/ta.key ~/client-configs/keys/
    vim ~/client-configs/base.conf # See example client config

Pack the config and keys into an ovpn file:

cd ~/client-configs
./make_config.sh client

Transfer the generated client.ovpn file to your mobile device. You can use scp or host the file on a temporary web server in the VM.

Step 3: Set up traffic redirection with iptables

With our VPN in place, we can now configure iptables rules in the Linux VM to redirect all VPN client traffic to Burp Suite.

  1. Flush any existing iptables rules:

    sudo iptables -F
  2. Set default policies to accept all traffic:

    sudo iptables -P INPUT ACCEPT
    sudo iptables -P OUTPUT ACCEPT 
    sudo iptables -P FORWARD ACCEPT
  3. Redirect HTTP and HTTPS traffic from the VPN interface (tun0) to Burp‘s listener port:

    sudo iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 80 -j REDIRECT --to-port 8080
    sudo iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 443 -j REDIRECT --to-port 8080

Note that you‘ll need to re-run the iptables commands each time you restart the VM, as the rules are not persistent by default. You can use iptables-persistent to save the rules if desired.

Step 4: Configure the mobile device and Burp Suite

Almost there! We now need to set up our mobile device to use the VPN connection, and configure Burp Suite to handle the intercepted traffic.

  1. On your mobile device, use an OpenVPN client app to import the client.ovpn config file from the previous step. If you‘re using Android, I recommend the official OpenVPN Connect app.

  2. Connect to the newly created VPN profile. You should receive a connection confirmation and see the VPN icon in your status bar.

  3. Launch Burp Suite on your Linux VM and go to the Proxy Options tab. Set up a new listener on port 8080 and bind it to all interfaces.

  4. Go to Proxy > Options > Edit > Request Handling. Add a new redirect rule to send all requests to the actual IP address of the API server that your mobile app communicates with. This is necessary because the VPN tunnel obscures the original destination.

  5. Still in the Request Handling settings, check the "Support invisible proxying" option. This will make Burp automatically adjust the "Host" header and other request attributes to avoid issues.

Step 5: Testing the setup

Moment of truth! Let‘s verify that our new proxying setup actually works. For demonstration purposes, I created a simple Flutter app that just sends an HTTP request to whatismyipaddress.com.

  1. Install the Flutter test app on your mobile device. You can either build it yourself or download the APK from the GitHub repo.

  2. Ensure that the VPN connection is active on your device and that Burp is running and listening on the VM.

  3. Open the test app and click the "CHECK MY IP" button. If everything is set up correctly, you should see the request appear in Burp‘s HTTP history.

  4. From here, you can intercept and modify the request as you would with any other traffic going through Burp. You can modify parameters, replay requests, send to Repeater or Intruder, etc.

Congratulations, you can now proxy and tamper with traffic from non-proxy aware apps without rooting or jailbreaking your mobile device! This opens up many new possibilities for dynamic security analysis and penetration testing.

Advantages and limitations of the VPN redirection method

The VPN traffic redirection method has several advantages compared to other mobile pentesting approaches:

  • Works without rooting or jailbreaking, which is more convenient and avoids warranty/security issues
  • Redirects all mobile device traffic, not just from certain apps
  • Doesn‘t require installing a custom root CA or SSL certificate on the device
  • Provides a realistic view of the app‘s behavior as seen from an external network

However, there are also some limitations to keep in mind:

  • Requires setting up and maintaining a VPN server, which can be more involved than simple proxy settings
  • Network performance may be reduced due to the additional VPN hop
  • Apps that implement non-standard certificate pinning may not accept the Burp certificate even with invisible proxying enabled

Tips for effective mobile app pentesting

Intercepting network traffic is a core part of pentesting mobile apps, but it takes more than just proxying to assess an app‘s security posture thoroughly. Here are some additional tips to keep in mind:

  • Understand the app‘s architecture and data flows. Study the app binary, file system, and logs to identify potential attack surface and flaws.
  • Test the app in different states – e.g. logged in/out, different user privilege levels, offline/airplane mode, etc.
  • Automate what you can, but don‘t neglect manual exploratory testing to find logic bugs and edge cases that tools might miss
  • Keep detailed notes, screenshots and other evidence for your findings. Writing a good pentest report is as important as the technical work!

Mobile app pentesting can seem daunting at first, but with the right tools and techniques it doesn‘t have to be rocket science. I hope this guide has shown you a new technique to add to your pentesting arsenal. Now go forth and hack (ethically)!

Similar Posts