Intercepting Mobile App Network Traffic aka The Squirrel in the middle

Abstract

We will make a deep dive into intercepting network communication of mobile apps and it’s API’s. I will cover different kind of challenges you might be facing when trying to intercept and will propose several ways of overcoming them.

You might think now: What’s the problem here? I install the Burp Certificate Authority (CA) on the mobile device and set the system proxy to point to Burp Suite and case closed.

This might work, but this will only cover the „ideal“ case! But what about the following use cases:

  • The app is being build in Flutter or Xamarin. If that’s the case the app will not be using the system proxy, but bypass it. So the Proxy you are setting in iOS and/or Android will be ignored by the app.
  • Not every app is relying on HTTP. Other protocols such as XMPP might be used or also TCP to reduce the overhead of HTTP. As the system proxy that you are setting on the mobile device will only be covering HTTP(S), other protocols will not be routed to Burp. Even if you find a way, Burp will not be able to process and display them by default as Burp can only understand HTTP.

These are only same of the challenges you might be facing when trying to intercept the communication of a mobile app.

This talk will present and follow a methodology for intercepting the network communication between a mobile app and it’s API’s and want’s to enable the audience to tackle all potential use cases described above and more. For this talk I will give detailed technical demos that will allow you to master all of them.

Why “Squirrel-in-the-middle”? You will find out in the talk :-)


Speakers Information


Sven Schleier

Sven is specialised in Application Security and has supported and guided software development projects for Mobile and Web Applications during the whole SDLC. Besides his day job he is one of the core project leaders and authors of the OWASP Mobile Security Testing Guide and OWASP Mobile Application Security Verification Standard. Sven is giving talks and workshops about Mobile Security worldwide to different audiences, ranging from developers to penetration testers and students.





View Full Schedule

Subscribe to Our Mailing List

Join our community mailing list for updated on conference annoucements, important dates and discussions.