Penetration testing

Intercepting HTTP/HTTPS Traffic on Windows Phones

Srinivas
November 15, 2016 by
Srinivas

Introduction and Background:

In the previous article of the series, we have discussed Sideloading concepts associated with Windows Phone 8.1 apps and UWP apps. In this article, we will discuss how to get your phones/emulators ready for intercepting HTTP/HTTPS traffic to proceed with further analysis of the application.

It is common for mobile applications to communicate with web servers over HTTP and HTTPS as a part of apps' functionality. Windows Mobile Applications are no different. Assuming that you have a Windows Phone 8.1/UWP application to be tested, this article will describe how to intercept its traffic using Burp Proxy.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Note: The screenshots in the next few sections are taken from a Windows Phone 8.1 device, but these concepts are same with Windows 10 mobile too.

Proxying HTTP traffic on Windows Phone:

We will begin with configuring our Windows Phone 8.1 device to send all it's HTTP traffic to Burp Proxy, which is running on a different machine. First, make sure that your phone and the machine, where Burp Suite is running are connected to the same WiFi network.

Get your phone and navigate to Settings | WiFi and long touch the WiFi network you are connected to. You should see the screen similar to the one below.

Tap edit and
enter the IP address of the machine, where Burp is running and the port where Burp is listening.

Now, switch to Burp Suite and navigate to Proxy | Options.

You should see a window similar to the one below.


Select the entry and click Edit. This will show us the following window.

Select All Interfaces under Bind to address. This will ensure that your Burp will listen to the traffic coming from a different device on the network.

To test if everything is working fine, launch browser app on your phone and enter the following URL.

http://demo.testfire.net

Switch to Burp Proxy and you should see the request sent by the phone as shown below.

Forward the above request in Burp, and you should see the website loaded in the browser as shown in the figure below.

If any other application is sending HTTP traffic from the device, it can be intercepted and manipulated in a similar fashion.

Intercepting HTTPS traffic on Windows Phone:

Now, try to open https://www.google.com in the same browser and see what happens. You will be greeted with the following screen.

Your browser is yelling that a trusted certificate authority did not issue the security certificate presented by Burp Suite. So, what's the solution? You need to tell your browser that this certificate can be trusted. But how? Let us see it.

On your host machine, configure Firefox browser to send all its traffic to burp proxy. This looks as shown in the figure below.

Now, point your browser to http://burp. This should look as shown below.

Click, CA Certificate button and a certificate will be downloaded as shown in the figure below.

Send this certificate to the Windows Phone device over email, or you can access this file from the phone's browser by hosting this on a simple web server. When you open this file, you will be prompted to install the certificate as shown below.

Click install and the certificate will be installed on your device.

Ok, what have we done just now?

By default, the certificate presented by the Burp Proxy is not trusted by your phone since your phone doesn't contain the root CA certificate in its trust store. For the phone to accept the SSL connections with Burp without throwing SSL errors, we need to add burp's root CA certificate. For the same reason, we have added Burp root CA certificate to your phone's trust store. Your phone is now aware of the certificate presented by Burp, and it should accept it without throwing any errors as shown in the figure below.

You can intercept and modify the requests in Burp.

While configuring the proxy settings for emulators, we need to configure them in Edge browser of your host machine and restart the emulator. Now, the proxy settings configured in Edge browser will be applied to the emulators and all the apps running on the host machine. Apart from this, all the concepts discussed in this article are the same with emulators too.

Become a Certified Ethical Hacker, guaranteed!

Become a Certified Ethical Hacker, guaranteed!

Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.

Conclusion:

In this article, we have discussed how to intercept HTTP/HTTPS traffic on Windows Phones. Though this allows us to intercept the traffic on Windows mobile devices and emulators, adding the root CA certificate to the trust store requires a different process in Windows 10 Desktops. In the next article, we will discuss how to intercept HTTP/HTTPS traffic of Universal Windows Platform apps on a desktop machine.

Srinivas
Srinivas

Srinivas is an Information Security professional with 4 years of industry experience in Web, Mobile and Infrastructure Penetration Testing. He is currently a security researcher at Infosec Institute Inc. He holds Offensive Security Certified Professional(OSCP) Certification. He blogs atwww.androidpentesting.com. Email: srini0x00@gmail.com