Last updated: September 9, 2021
Read time: 1 Minute
You can use Burp Suite for performing security testing of mobile applications. To do this, you simply need to configure the mobile device to proxy its traffic via Burp Proxy. You can then intercept, view, and modify all of the HTTP/S requests and responses processed by the mobile app, and carry out penetration testing using Burp in the normal way.
Successfully intercepting HTTPS traffic from mobile applications can be non-trivial, due to problems setting the necessary proxy configuration, or due to TLS certificate pinning. For more information, see the troubleshooting section.
Burp Suite Mobile Assistant is a tool to facilitate testing of iOS apps with Burp Suite. It supports the following key functions:
- It can modify the system-wide proxy settings of iOS devices so that HTTPS traffic can be easily redirected to a running instance of Burp.
- It can attempt to circumvent TLS certificate pinning in selected apps, allowing Burp Suite to break their HTTPS connections and intercept, inspect and modify all traffic.
Burp Suite Mobile Assistant currently supports mobile devices running iOS versions 8.0 and onwards.
Note: Burp Suite Mobile Assistant should not be used in situations where availability, confidentiality or integrity of data is required. Mobile Assistant changes injected apps in a way that significantly reduces the security of their communications.