I have configured the Burp suit to intercept the API(http and https) calls from the iOS mobile apps.
Am getting the expected result from all my native iOS apps which use http and https(SSL certificate pinning disabled)
But for flutter mobile app, no request is intercepted and no items are listing under "http history" tab.
I am using the flutter default package "http.dart" for the API calls. Does this package contain any kind of inbuilt security to avoid network interception?
Flutter uses Dart, which doesn’t use the system CA store. This way, even though you have installed BURP CA on your iOS device, flutter is oblivious to that as it uses a list of CA’s that are embedded into the application itself.
You have to disable SSL certificate verification in your app for testing purposes. For disabling SSL certificate verification in flutter, please refer to:
how to solve flutter CERTIFICATE_VERIFY_FAILED error while performing a POST request?
Also, it might be the case your iOS dart setup isn't compeltely proxy aware (usually Android Dart isn't). I'd investigate that out as well.
Related
Recently, I gave an iOS build to my client to test an app. I did it by using Unity and ARKit. From the client's feedback, he downloaded the application but the app is not initializing. In order to let the app to initialize, it requires Internet connection. I used a Plugin in my app when I contacted them, they told me that they are using Google's Firebase in their backend. Is this the reason that the app has been blocked or any other issues? Any suggestion?.
Btw, my client cannot use VPN. Is there a way to run something in code to change to VPN?
I need to be able to capture HTTP(S) requests from Android and iOS devices, for both Browsers and, in the future, for Native apps for testing purposes mainly.
Some aspects to consider:
There are a lot of devices/iOS combinations to support, so the only viable solution is to use a Cloud Browser provider like SauceLabs, BrowserStack, etc.
Preferably, I would use Real devices, not Emulators/Simulators
We could make any kind of tweaks for the staging environment of the site under test in case is needed
Same for the native applications
My first attempt was to give it a try with FiddlerCore, and while it works on Android, it doesn't work on iOS because of the self-signed certificate that would require to be trusted manually (leaving aside the fact that due to security reasons, no Cloud Browser provider would allow you to do it).
So, next I thought of creating a proxy server and buying a Trusted CA Signed Certificate (e.g. Comodo, GoDaddy, etc), setup the device to use that proxy server and then fetch in my tests the requests and responses from it.
I don't know much about Certificates and don't have extensive experience Appium, so the following questions arise:
Will the setup mentioned above, using a proxy server and trusted CA signed cert suffice for iOS not to complain that the certificate is not trusted? Note that I won't be able to manually accept the cert on the device (in case it's needed).
In case the setup above will work, is it possible to setup using Appium the proxy settings on the device? As far as I know, Appium can interact with Android Settings menu, but I'm not sure about iOS.
Is there anything that I missed or that I could keep mind?
Right now I'm developing an application using Xamarin.Forms. I ran into a problem with the TLS protocol.
My application uses an API. Because of security reasons the API uses HTTPS. This week we decided to remove the support of TLS 1.0 to accept only TLS 1.1 and 1.2 on the server side, but after we made this change, I noticed that my application stoped working.
While debugging I noticed that the call of the API throws an exception (I'm using HttpClient class from .Net). By searching for solutions on the Internet, I saw that many people think the problem is related to TLS support.
I solved this problem on Android and iOS using a plugin named ModernHTTPClient but one of my customers reported me that on his device running on Android they still have the problem (he's running a device with Android 4.2).
Checking Android documentation I saw that this version have support but is not enable by default, and the hard part is that there's not much documentation in the Internet about how I can activate this.
Any advice of how I can activate this? Did Xamarin.Android have native support for TLS 1.1 and up?
Thanks
ModernHTTPClient should use the platforms' native HTTP handling. Looks like for now you can build it manually using this pull: https://github.com/paulcbetts/ModernHttpClient/pull/210
upon running my app in ios9 simulator, i get app transport security related issues because some of my urls are not using https. I tried it in an ipad with ios9 and its working fine.
Upon release of ios9, should I expect my live app (sdk 8) to fail on ios9 devices? Just making sure if late appstore updates are safe.
Thanks!
Reference
If you’re developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible. In addition, your communication through higher-level APIs needs to be encrypted using TLS version 1.2 with forward secrecy. If you try to make a connection that doesn't follow this requirement, an error is thrown. If your app needs to make a request to an insecure domain, you have to specify this domain in your app's Info.plist file.
I have written a summary and ways to how to check Acceptability of Webservice for iOS 9's App transport security
https://medium.com/#Mrugraj/app-transport-security-b7910c4fc70f
It have two ways
Using Curl
$ curl -v https://github.com/
Trying 192.30.252.130...
Using online tool like - https://www.ssllabs.com/ssltest/index.html
TLDR: Is there any way to configure iOS SSL cipher suites for a mobile-device-initiated, REST-over-TLS network connection, without using non-iOS-native HTTP or SSL libraries. If so, where is the API documented and are there any examples?
Details: I am working with others to develop an iOS mobile application and we are unable to locate details about how to force the native iOS crypto libraries to use a specific version of SSL/TLS, or specific cipher suites. This is for a custom REST application, so the approach would have to be possible to connect via HTTP over TLS.
The app is written in Objective-C. We are trying to stay within iOS native functionality without including a separate SSL/TLS library.
I did try to search for an answer on SO, but I didn't find anything that seemed to cover the question.