I am working on mobile pentests currently. At first, using my home network I was able to intercept traffic on burpsuite for both iOS and Android versions of “Test App”. Then the next day, I still am able to intercept traffic but the behaviour of this “Test App” for both iOS and Android seem like it has certificate pinning as I was just stuck on the pre-auth page and getting errors when trying to log in. Without proxy though I am still able to login OK and proceed with the app normally so I don’t think my home network got blacklisted? (For context, the binaries does not have any certificate pinning).
But when I tried to change my network to my mobile hotspot, I could intercept the traffic and app behaves normally again.
Anyone encountered the same previously? Any ideas on what could be causing this? Thanks
This does seem odd. I would wager one of three things is happening here:
You accidentally left "Intercept" on in Burp Suite Proxy. This holds the response in Burp Suite until you click Forward, which would cause behavior very similar to what you are describing here. I have done this more times than I am willing to admit.
There was a temporary outage in the application's API. Not unheard of, especially if this is an unreleased app.
There is some sort of issue on your home network, but this is unlikely. Maybe two devices have the same static IP address?
It's hard to say exactly what the issue might be based on the information you provided, but hopefully this was helpful, or at least gives you a place to start!
Related
Sort of a newb to OWASP ZAP/proxying apps through it, so I'm tagging OWASP in this post, but hoping someone knows how to circumvent this issue here.
On Windows 10, OWASP ZAP 2.11.1, I've generated a new certificate and installed/trusted it to my iPhone 13 Pro Max. I've setup the proxy to run over port 8081 in OWASP, and turned on the routing on the phone. I'm seeing the traffic in OWASP which is cool, however the apps aren't actually "working". For example, if I load the Instagram app, I see the traffic/sites showing up in the left pane for Instagram, but on the phone, it doesn't refresh the feed and says there's no internet connection. Some other apps just hang on the first loading screen of the app, even though I'm seeing the traffic in OWASP.
My theory here is that the traffic isn't being routed BACK to the phone, but merely being intercepted before sending it out. Am I correct in assuming this? Or what else could be happening here as I'd like the apps to work properly while I'm proxying through ZAP.
Thanks!
UPDATE
After some digging, I'm thinking this is likely a result of "pinning", which I think can be (relatively easily) circumvented with Frida for Android apps, but maybe not so much with iOS apps. Any insights into that would be greatly appreciated!
I was getting the "no internet" message after following the steps above posted by Simon Bennets (https://www.zaproxy.org/faq/can-zap-be-used-to-test-mobile-apps/). Had to do extra step to trust manually installed certificate profiles as shown here: https://support.apple.com/en-us/HT204477.
A few days ago, Apple rejected my app, indicating that it didn't have IPV6 support, however I don't need that support since my app does not require internet access.
I asked the following:
Hi, my app does not need any internet connection yet.
So, why it's required to have support to IPV6?
They said:
Thank you for your response and for your question. In order to bring your app into compliance with Guideline 2.1 it would be appropriate for your app not to crash when logging in.
end
So, why do I need that Support?
If is necessarily, how do I can do it?
Please I need help
Test your app extensively and fix the crash. Enter wrong values, don't enter anything at all, intentionally try to break your app and get it to crash. Then you will find your error and you can fix.
EDIT BASED ON COMMENT BELOW
"My app don`t need conect with external database, because I got the information inside" - in this case, no, you do not need to add IPv6 support because you are not communicating with the internet for logging in purposes.
You can keep the login given it is only going to be 2 people using the app, just resolve the crash when logging in.
To test, enter a variety of incorrect passwords and usernames to ensure that there is no crash on incorrect entries, and confirm that correct entries do not crash the app.
Original Answer
Apple indicated that because there is a login feature, they think it is trying to communicate with an external database (ie a database that is not on the device). If there is no external database, just fix the crash is what they are asking.
Based on your question, you have eluded to the app not communicating externally for logging in. While some may find this odd, it is not uncommon. An example for those wondering would be a childrens app for iPad. The iPad might be shared amongst several children and as such each child might complete different sections or features of the app so an account local to the device is a good idea if there is no cloud support.
If there is external communication, you need to handle the case for no internet access. The question has been answered extensively, however this was the first result I found:
Detect Internet Connection and display UIAlertview Swift 3
Update: Why do I need to Support the case for no internet connection?
A use case:
John has just downloaded your app. He has just walked through the steps to create an account, but he has accidentally set his device to Aeroplane Mode.
John hits the "Create Now" button but nothing is happening. There is no error or success alert appearing, the screen has not changed, he can't see a loading icon. John is confused and getting frustrated because he's certain that he has completed everything in the form.
John doesn't understand that he needs internet connectivity to successfully submit a request to create an account. John decides to delete your app from his device and leaves a bad review.
John really could have used an alert saying "You need internet connection to sign up to this app. Please check you are connected and try again". This would have made John a whole lot happier and he probably would have continued to use your app with all of it's amazing features.
More information can be found in the guidelines that Apple mentioned, and further to this, the Apple Design Principles Guide is an invaluable resource.
I hope this makes sense.
I tested Universal Links in iOS by turning on Airplane mode and saw that the correct application was opened (instead of a website)
This indicates some level of "caching" the apple-app-site-association.
I want to determine the extent to which this is cached, so I can determine
What UX edge cases are there (e.g. Offline for x days)
What security considerations are there (e.g. MITM / SSLStrip + .well-known/URL)
etc.
Ideally I would like to have details if additional logic is employed (conditional caching if HTTPS employed, DNSSec, etc)
The exact behavior here is (intentionally?) unclear from Apple. Here is my personal experience, gleaned partly from official documentation and partly from helping thousands of apps implement Universal Links at Branch.io.
The apple-app-site-association file is cached once when the app is first installed.
If this initial scrape fails, in almost all situations it will not be reattempted. The only exception to this is if the initial return is a 5xx error, in which case a limited number of retries may occur. This is not well-documented, and is not covered in Universal Links documentation at all. You can find a mention in the Shared Web Credentials docs.
The file is not checked at all when a Universal Link is opened. This is why you are able to get Universal Links behavior in airplane mode.
The file does not expire. Once it is cached, it sticks permanently for as long as the app is installed.
The file will be re-checked when installing an app update.
The file must be accessible via a valid SSL connection at either https://example.com/apple-app-site-association or https://example.com/.well-known/apple-app-site-association. If there are redirects of any kind, this will fail.
It is theoretically possible to MITM the request if you are able to install a new SSL certificate directly on the device in question. Charles Proxy for example uses this approach for debugging. I have never seen or heard of this being exploited, and the damage would be quite limited because the domain still has to be specified inside the app itself.
I found a way to get around the caching issue. The cache is bound to the domain name, so for every time you want iOS to request apple-app-site-association you can create a new subdomain, and configure iOS to use that subdomain as the universal link for your app.
Extremely hacky, but it is the only workaround that worked for me.
I'm not entirely sure why I feel this way, perhaps something I read at some point, but my understanding is that while providing an offline experience within an app, it is my responsibility to appropriately manage situations where my app requires an internet connection and one is not available (a proper alert for example).
When opening an external website using the Cordova InAppBrowser, if there is no internet connection, am i required to do something about it, or is the error appearing in the webview of the plugin enough? Will this interfere with the approval process, or is this entirely ok?
Check this out Dom.
http://gtproductions.net/blog/ways-to-get-rejected-by-apple-app-store-tips/
point 4 seems to point out that apps (games here) may get rejected if connection issues are not properly handled.
I want to create an a parental-control app very similar to Onavo, other than I'm not compressing any data, I'm just storing the URL being requested and letting it go on its way.
Basically, I just want to install a profile that will tell my app anytime an internet request is made on the device (assuming my app is running in the background). This is an even simpler version than what Onavo does (intercept internet actions and reroutes them), so I know it's possible I just can't seem to find any documentation for it...
Can anyone point me in the right direciton? Google is failing me.
I'm an intermediate iOS developer. Thanks!