Years ago I built a web app for managing the home finances. I may post about that another time. But part of the back-end of this app is a script that runs several times a day that fetches transactions from my bank and American Express. It’s served me well, with the exception that the OFX direct connect to American Express does not offer download of pending transactions.
It occurred to me the other day that the American Express app on my phone does show pending transactions. If I could see what the app sent, I was confident I could recreate with CURL and pose as the app. A little Googling turned up a really nifty java proxy called Burp that claimed to reveal all HTTP traffic, including SSL.
For SSL traffic, this proxy creates a host-specific, self-signed certificate for the client on the fly. This is fine if you’re sniffing traffic from a regular browser. You will merely be prompted for whether to trust the certificate before continuing. But for a mobile app, it just simply won’t work. If sniffing traffic from a mobile app is your aim, here’s some steps to getting around this.
- Download and install Burp
- Run Burp and go to the “proxy” tab and select the “options” button.
Edit the default proxy listener and uncheck “listen on loopback interface only”. Make sure “generate CA-signed per-host certificates” is selected.
Click “update” when finished.
- Open Firefox (or any other browser that allows export of certificates) and set it up to use the Burp computer as a proxy (i.e. 192.168.1.2 on port 8080).
Browse to any https site. You should receive a warning about the certificate not matching or not being trusted. View the certificate. Highlight the root certificate (PortswiggerCA) and export.
- Attach the exported certificate to an email and send it to yourself so you can install on your device.
- Install the certificate (on an iPhone this is tapping on the attachment and accepting the prompts).
- In your proxy settings, again set the Burp computer as your SSL proxy.
Now when your apps that use SSL to communicate initiate a connection, they will see the untrusted certificate created on the fly by Burp, but the CA is now trusted on that device. All HTTPS traffic should now be visible in Burp. Don’t forget to remove the installed certificate when you are finished. Happy sniffing!