Testing mobile applications with burp suite


Contrary to what portswigger will have you believe, testing a mobile application with burp suite is not always easy. Of course, if there is no certificate pinning or if the app communicates over HTTP instead of HTTPS one does not need complex techniques but this is arguably a security risk in and of itself.

Certificate pinning

Normal testing requires some extra steps because applications check if the correct certificate is being used, this is not easy but it needs to be done because otherwise the burp suite certificate will not be able to intercept any traffic and you will only see errors in your burp suite.

For the certificate pinning I would like to refer you to my course on mobile android hacking:


Burp suite mobile app testing

When the burp suite certificate is being accepted by the target and burp suite is no longer showing errors, the task is trivial. All the is left is to do is set the proxy of the mobile device to burp suite and capture traffic. We specifically looking for same issues that can be found on any API/back-end server such as SQLi, IDOR, BAC, ...

Burp Suite Mobile Assistant is a tool to facilitate testing of iOS apps, although I must admit I never used it. It supports the following key functions:

This still requires a jailbroken device however.