How to add Burp CA Certificate to iPad or iPhone

A guy can never feel complete as a technical security blogger until they’ve written a post about how to add the Burp CA cert into an iOS device – so here’s mine!

As a consultant and tester I’m doing more and more with mobile devices. Most apps make some kind of Internet connection so it makes sense that we’ll want to proxy that through something useful like Burp. When you’re doing web application testing *most* of the time the client is a web browser and these are pretty good at popping up a warning about untrusted SSL certificates, even on an iOS device you get this option in Mobile Safari. Apps however don’t offer this same choice, the cert is either trusted and valid or it’s not. If you want to intercept HTTPS traffic with Burp you’re going to need to import your Burp CA cert to the iOS device’s cert store.

So, here we go then. First things first we need a copy of the Burp CA cert. The easiest way to do this is on a desktop machine and export it using Firefox. I’m going to assume you’ve already configured your proxy settings in Firefox to point to your Burp instance. Now try and access an HTTPS web site, it doesn’t matter which one – use https://offensivecoder.com if you like. ;-)

The browser will throw up this warning:

Expand the “I Understand The Risks” section and click “Add Exception”

What we need to do is view the certificate chain. Click on View and you’ll be presented with the General tab of the Certificate Status window:

Click on Details and highlight the top most certificate in the list. This is important, we need the top of the chain. The cert will be called PortSwigger CA:

With the top-most certificate in the hierarchy highlighted click on Export. You will be presented with a Save Certificate To File box. Save the file wherever suits, I put mine on the Desktop but make sure you add a .crt suffix to the filename. This will be important for the iOS device later to recognise what to do with it.

With the file saved we now need to get the cert onto the iOS device. There’s a gazillion ways to do this but the simplest is just to email it to an account you can access from that device. I’m sure you don’t really need a how to on emailing an attachment but, for completeness, here goes:

 

 

 

 

Now we move over to the target iOS device. In my case it’s an iPad but the instructions are the same for an iPhone….or an iPod Touch (or whatever they’re called these days). First open the email and click on the attachment:

Click on Install to begin the import process:

Click Install in the top right corner and you will (likely) be prompted for a passcode or password:

Put in 1234 (that is your passcode right?) or whatever your passcode is.

And that’s it. Your shiny iDevice’s HTTPS traffic can now be intercepted using Burp. Have fun!

Tagged with: , , , , , , , , , ,
Posted in Mobile, Security
  • wh1ps04r

    theres another option available on iOS IFF you control the source code of a given app you can utilise a private/unofficial API to disable iOS CA checking feature so any cert can be used. Effectively its an off/on switch for CVE-2011-0228