Last updated: July 20, 2021
Read time: 4 Minutes
Burp Suite Mobile Assistant is a tool to facilitate testing of iOS apps with Burp Suite.
If you do not already have Mobile Assistant installed, please see the help on Installing Burp Suite Mobile Assistant.
Once installed, Burp Suite Mobile Assistant can be launched just like any other app on your device. Simply tap the app's icon to get started. You can find information about configuring Burp Suite Mobile Assistant on the Support Center.
Make sure that an instance of Burp is running and that it is network-accessible from your mobile device.
Within Burp Suite Mobile Assistant, you can configure the host and port of the Burp Suite instance that you want to connect to, install the CA certificate from the configured instance, and enable it as the proxy for the device.
You can also run a test to verify your configuration. The test performs the following checks:
Note: Changes made to proxy settings by the Mobile Assistant are ephemeral and will be reverted upon reboot. On devices running iOS versions 9.0 onwards, changes made to proxy settings using Mobile Assistant are not reflected in the iOS Settings app. Installation of the Burp CA certificate is not reverted upon reboot.
Certificate pinning is a technique used by apps to defend against the impersonation of trusted servers by malicious actors. In this context, pinning is a term that refers to the process of authenticating the identity of a host (provided by a remote server in the form of a TLS certificate) against a local, trusted copy of the legitimate certificate. Therefore, a connection with the remote server will only be established if the server can prove its identity by means of a certificate that matches the app's expectations.
By default, Burp Suite generates per-host certificates signed by its self-signed CA certificate. Although such certificates might be trusted by the device, they will not match the pinned certificate that the app expects. As a result, Burp's ability to intercept and inspect traffic generated by such apps is undermined by certificate pinning, even when the device has been properly configured to proxy HTTPS traffic.
Burp Suite Mobile Assistant has the ability to inject into other apps and hook into low-level system APIs to subvert certificate pinning, allowing users to intercept traffic using Burp Suite, even when certificate pinning is implemented.
Certificate pinning can be implemented in many different ways, using system APIs, third-party libraries, or custom code. Because Burp Suite Mobile Assistant hooks the low-level system APIs, it succeeds for the vast majority of apps. However, in some cases, successful injection into an app might fail to disable pinning, indicating that an app is performing certificate pinning using custom code.
Note: The certificate pinning bypass feature of Mobile Assistant does not currently support iOS version 10 onwards.
Items can be added to injected apps list by tapping "Add injected app". An app will be injected with a certificate pinning bypass if it matches at least one of the entries in the injected apps list.
The add menu shows a list of user and system apps, which can be individually selected to be injected.
Advanced users may want to apply injections to a collection of related apps. This can be achieved by adding an advanced filter. The following types of filter are available:
com.apple.UIKitwill match any app with a GUI; the filter
com.apple.Securitywill match all apps.
You can individually enable or disable entries in the injected apps list. Various checks are performed when an item is enabled, and items will be automatically disabled if an error occurs.
You can delete individual items from the list by swiping left on the item, or tap "Delete all" to clear the list.
Note: Enabling an injection doesn't make it take effect immediately. Injection is performed at the time that an app is launched. Hence, an app will need to be restarted if it was already running when it was enabled in the injected apps list. If an app has been successfully injected, a dialog will appear when the app is launched.
The process of injecting into apps and hooking API calls carries inherent risks. For this reason, Cydia Substrate accounts for unexpected situations and can prevent devices from entering a permanent crash state. In the unlikely event that Burp Suite Mobile Assistant should crash and cause problems, please refer to Cydia Substrate's safe mode.