Pentesting for mobile devices has become important for security consultant since more and more clients are requesting for to get their Android and iOS version of applications tested.
Using a proxy tool like Burp suite to intercept traffic from Apple devices is easy when the application does not use SSL. But in cases where the application is using https connection, the IPad or IPhone does not allow you to intercept the traffic. The reason being that Burp presents the device with a fake certificate that cannot be verified. Therefore in case of browsing through Safari browser, the user just gets a warning and can proceed ahead. But in case of applications, the certificate is either valid or not, there is no warning for invalid certificate. And if the certificate is invalid, the connection is terminated.
So during testing we can install the Burp SSL certificate on the iOS device and hence it will consider it as a trusted certificate.
Step 1) Start Burp proxy
Step 2) Set your browser to Burp proxy
Step 3) Browse to any SSL page. The browser will show a warning for 'Invalid SSL Certificate'
Step 4) Open the certificate details. Click on PortSwigger CA, this is important since we want the top-most hierarchy. Then click on Export.
Step 5) When you export the certificate it will be called PortSwigger CA. Remember to add '.crt' to the certificate when you save it. This is important since it determines what IPad or IPhone does with the file.
Step 6) Send the certificate to the device. This can be done by any method like email or directly copy on the device etc. When you try to open the certificate, the device will prompt you to install the certificate. Click on Install.