You can use Burp Suite for performing security testing of mobile applications. To do this, you simply need to configure the mobile device to proxy its traffic via Burp Proxy. You can then intercept, view, and modify all of the HTTP/S requests and responses processed by the mobile app, and carry out penetration testing using Burp in the normal way.
Successfully intercepting HTTP/S traffic from mobile applications can be non-trivial, due to problems setting the necessary proxy configuration, or due to TLS certificate pinning.
Burp Suite Mobile Assistant is a tool to facilitate testing of iOS apps with Burp Suite. It supports the following key functions:
- It can modify the system-wide proxy settings of iOS devices so that HTTP(S) traffic can be easily redirected to a running instance of Burp.
- It can attempt to circumvent TLS certificate pinning in selected apps, allowing Burp Suite to break their HTTPS connections and intercept, inspect and modify all traffic.
Burp Suite Mobile Assistant currently supports mobile devices running iOS versions 8.0 and onwards.
Use the links below for more details:
Note: Burp Suite Mobile Assistant should not be used in situations where availability, confidentiality or integrity of data is required. Mobile Assistant changes injected apps in a way that significantly reduces the security of their communications.