- A brief on AOT Compiled iOS Xamarin Apps - Hacking Xamarin Apps on iOS (appknox.com)
- Notes From Reverse Engineering A Mono AOT Compiled App On iOS | Rafael Rivera (withinrafael.com)
- Intercepting Xamarin Mobile App Traffic (triskelelabs.com) (Recommended)
- Capturing HTTP Requests from a non-proxy-aware Mobile Application | bhavukjain1
- SSL Pinning Bypass for Android & iPhone Users | Appknox
The following is outdated, but I opted to keep it in the notes for reference: - How To Capture Non-Proxy Aware Mobile Application Traffic (IOS & Android) Xamarin/Flutter -Pentesting | by salman syed | Medium More on IP tables at: - iptables Demystified - Port Redirection and Forwarding HTTP Traffic to another machine (part 1) - YouTube
- Follow the steps in the How To Capture Non-Proxy Aware Mobile Application Traffic (IOS & Android) Xamarin/Flutter -Pentesting | by salman syed | Medium blog to set up OpenVPN.
Ensure OpenVPN is set to use TCP
- Delete all
iptablerules, refer to iptables(8) - Linux man page (die.net) for full context.
# Flush filter rules i.e: FOWARD, INPUT, OUTPUT iptables -F # Allow all inbound traffic sudo iptables -P INPUT ACCEPT sudo iptables -P OUTPUT ACCEPT sudo iptables -P FORWARD ACCEPT # [optional] Get NAT rule number sudo iptables -t nat -v -L -n --line-number # [optional] Flush nat rule i.e: PREROUTING, POSTROUTING sudo iptables -t nat -D PREROUTING <rule_number>
- Route traffic from your VPN interface and redirect to your host (Burp Suite)
# To forward to local port 8888 iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 443 -j REDIRECT --to-port 8888 # [optional] if you delete OpenVPN's NATing rule by accident, restore it with sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ens33 -j MASQUERADE # , where ens33 is the interface connected to the internet
- Enable IP Forwarding
If you don't see traffic in Burp, checkout Burp's Dashboard - sometimes it's an SSL pinning issue.
Bypass SSL pinning
- Login to the application without intercepting the traffic
- Download Burp Certificate by navigating to
- Find the Bundle path on the device using objection
- Find the certificate using
- Replace the certificate with Burp's certificate. You may need to convert
dercertificate format to
.cer. To do so, follow this blog: Install Burpsuite’s or any CA certificate to system store in Android 10,11 and Kali linux. | by n00🔑 | Medium