Xamarin - iOS

Hooking

• A brief on AOT Compiled iOS Xamarin Apps - Hacking Xamarin Apps on iOS (appknox.com)
• Notes From Reverse Engineering A Mono AOT Compiled App On iOS | Rafael Rivera (withinrafael.com)

Traffic Interception

Resources

• Intercepting Xamarin Mobile App Traffic (triskelelabs.com) (Recommended)
• Capturing HTTP Requests from a non-proxy-aware Mobile Application | bhavukjain1
• SSL Pinning Bypass for Android & iPhone Users | Appknox

The following is outdated, but I opted to keep it in the notes for reference: - How To Capture Non-Proxy Aware Mobile Application Traffic (IOS & Android) Xamarin/Flutter -Pentesting | by salman syed | Medium More on IP tables at: - iptables Demystified - Port Redirection and Forwarding HTTP Traffic to another machine (part 1) - YouTube

Steps

1. Follow the steps in the How To Capture Non-Proxy Aware Mobile Application Traffic (IOS & Android) Xamarin/Flutter -Pentesting | by salman syed | Medium blog to set up OpenVPN.

   Ensure OpenVPN is set to use TCP

2. Delete all iptable rules, refer to iptables(8) - Linux man page (die.net) for full context.

   # Flush filter rules i.e: FOWARD, INPUT, OUTPUT
   iptables -F
   
   # Allow all inbound traffic
   sudo iptables -P INPUT ACCEPT
   sudo iptables -P OUTPUT ACCEPT
   sudo iptables -P FORWARD ACCEPT
   
   # [optional] Get NAT rule number
   sudo iptables -t nat -v -L -n --line-number
   
   # [optional] Flush nat rule i.e: PREROUTING, POSTROUTING
   sudo iptables -t nat -D PREROUTING <rule_number>
   

3. Route traffic from your VPN interface and redirect to your host (Burp Suite)

   # To forward to local port 8888 
   iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 443 -j REDIRECT --to-port 8888 
   
   # [optional] if you delete OpenVPN's NATing rule by accident, restore it with
   sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ens33 -j MASQUERADE # , where ens33 is the interface connected to the internet
   

4. Enable IP Forwarding

   # Enable
   sysctl -w net.ipv4.ip_forward=1
   
   # [optional] Validate it works
   cat /proc/sys/net/ipv4/ip_forward
   

   If you don't see traffic in Burp, checkout Burp's Dashboard - sometimes it's an SSL pinning issue.

Bypass SSL pinning

• Login to the application without intercepting the traffic
• Download Burp Certificate by navigating to http://burp:8080.
• Find the Bundle path on the device using objection
• Find the certificate using find and grep

  find . | grep -E "cer|der"
  

  
• Replace the certificate with Burp's certificate. You may need to convert der certificate format to .cer. To do so, follow this blog: Install Burpsuite’s or any CA certificate to system store in Android 10,11 and Kali linux. | by n00🔑 | Medium