I need to be able to capture HTTP(S) requests from Android and iOS devices, for both Browsers and, in the future, for Native apps for testing purposes mainly.
Some aspects to consider:
There are a lot of devices/iOS combinations to support, so the only viable solution is to use a Cloud Browser provider like SauceLabs, BrowserStack, etc.
Preferably, I would use Real devices, not Emulators/Simulators
We could make any kind of tweaks for the staging environment of the site under test in case is needed
Same for the native applications
My first attempt was to give it a try with FiddlerCore, and while it works on Android, it doesn't work on iOS because of the self-signed certificate that would require to be trusted manually (leaving aside the fact that due to security reasons, no Cloud Browser provider would allow you to do it).
So, next I thought of creating a proxy server and buying a Trusted CA Signed Certificate (e.g. Comodo, GoDaddy, etc), setup the device to use that proxy server and then fetch in my tests the requests and responses from it.
I don't know much about Certificates and don't have extensive experience Appium, so the following questions arise:
Will the setup mentioned above, using a proxy server and trusted CA signed cert suffice for iOS not to complain that the certificate is not trusted? Note that I won't be able to manually accept the cert on the device (in case it's needed).
In case the setup above will work, is it possible to setup using Appium the proxy settings on the device? As far as I know, Appium can interact with Android Settings menu, but I'm not sure about iOS.
Is there anything that I missed or that I could keep mind?
Related
I'm basically looking for a way, in an iOS app I'm developing, to achieve the same thing as this on Android.
I need to somehow embed my CA cert in the iOS app and then configure it to trust that CA in addition to the system certificates.
Is this possible without writing native code?
I'm using Expo so ideally I'd like an easy way via Info.plist or something like that if possible.
I haven't really tried anything yet. I did for Android and it works, just can't figure out how to do the same thing on iOS.
I have configured the Burp suit to intercept the API(http and https) calls from the iOS mobile apps.
Am getting the expected result from all my native iOS apps which use http and https(SSL certificate pinning disabled)
But for flutter mobile app, no request is intercepted and no items are listing under "http history" tab.
I am using the flutter default package "http.dart" for the API calls. Does this package contain any kind of inbuilt security to avoid network interception?
Flutter uses Dart, which doesn’t use the system CA store. This way, even though you have installed BURP CA on your iOS device, flutter is oblivious to that as it uses a list of CA’s that are embedded into the application itself.
You have to disable SSL certificate verification in your app for testing purposes. For disabling SSL certificate verification in flutter, please refer to:
how to solve flutter CERTIFICATE_VERIFY_FAILED error while performing a POST request?
Also, it might be the case your iOS dart setup isn't compeltely proxy aware (usually Android Dart isn't). I'd investigate that out as well.
I am having a problem since upgrading to Xcode 8 from 7.3.1.I am behind a proxy at work and the simulator will not make any connections to web services though my app although Safari on the simulator works.Everything works fine when I try outside the proxy and it works fine with 7.3.1.Does anyone now of any changes with Xcode 8 & iOS 10 that I need to make?
The Simulator runs a separate iOS/watchOS/tvOS userspace but shares the host macOS kernel. NSURLSession in the Simulator has its own cache but uses the host socket layer.
Try the relevant URI in Safari in the Simulator and see what you get. If your proxy is performing a man-in-the-middle attack on SSL connections they will be rejected as invalid. If your proxy requires authentication it won't work because the Simulator keychain is separate from the host keychain (though this was done in Xcode 7 so it isn't new).
FTW: We do not recommend that proxies MITM SSL connections; that leaves you dangerously exposed to attackers operating inside the corporate firewall, which is extremely common these days thanks to phishing attacks.
We also highly recommend that you limit ATS exceptions to the absolute minimum required. If your webservice is using insecure SSL settings you should upgrade your webservice, rather than down-grading your users to vulnerable connections. If there is only one or two third-party hosts you need to connect to, limit your ATS exceptions to just those hosts.
If none of this helps please file a bug at https://bugreporter.apple.com. Include the output of sysdiagnose and ~/Library/Logs/CoreSimulator.
I've been using Burp Suite to inspect HTTP traffic but for HTTPS traffic I've been unable to do so. I tried extracting Burps certificate and dropping it into the simulator and installing it, but my network calls still seem to be silently failing.
Burp is the simplest option so I'd like to know how to get it to work.
Check out the shell script written by the good folks over at Charles Proxy.
It installs automatically to the iPhone simulator. You should be able to use the same approach for Burp.
You can email yourself the cert to install it on a device. Another option is to modify your app to ignore the usual checks for the SSL cert, but don't forget to take it out for production.
Also the book Hacking and Securing iOS applications has tons of awesome advice if you're into stuff like this.
Here's another answer that must be where I got the idea of using the Charles script: Adding a self-signed certificate to iphone Simulator?
And another answer that might be relevant: iPhone TrustStore CA certificates
When an iOS Device goes into "sleep mode", even a configured VPN is, unfortunately, turned off.
A customer that wants an app for his iPad has to use VPN for security, so anything must be done through VPN. The app has to synchronize a lot, but the iOS device might turn off the VPN by itself. That's why I just need to trigger it again every time i need an internet connection (or keep it alive).
Do any of you guys have anything in mind?
Even using Private API is ok (the app will only be distributed to a customer, not through App Store).
Or using any app like Cisco AnyConnect would do the job.
Two ideas:
1) You can create a configuration profile with VPN on demand. This require client certificat authentication though. My guess that if some application will try to access domains or hosts defined in VPN on demand section in sleep mode, VPN will be turned on.
Update: At some moment Apple was sued regarding VPN on demand, so I believe they dropped this feature and after returned it back modified. It's good idea to read this article for iOS 7: http://support.apple.com/kb/ts4550
2) Idea which I offered for this question (iOS6 toggle WiFi on non-jailbroken device). Here is the copy of text from there:
I think it make sense to look at SystemConfiguration.framework.
It has set of API to work with different connection interfaces, which are defined here: http://developer.apple.com/library/mac/#documentation/Networking/Reference/SCNetworkConfiguration/Reference/reference.html
This one is private API.
Update: I believe there were some changes in SystemConfiguration and Apple tightened security around this framework.
3) Apple may grant to some applications additional entitlements, so they can build functionality which no other application can build. As example, VPN client companies (like Cisco) got special entitlements to build what in iOS called "VPN plugins", which is essentially VPN client.
Its now possible to do with NetworkExtension framework available in iOS 8 and up.
If you go to project settings->capabilities you will find "personal VPN". By turning it on you get the framework added to your project.
There is little to no official documentation, but you can check out the WWDC video here https://developer.apple.com/videos/wwdc/2015/?id=717