Jump to content

burp suit cert installed... snapchat/facebook app


Recommended Posts

I was board this last weekend. I felt like sniffing some data from my android phone.


So i installed the burp certificate on my samsung s3, witch forced me to setup a pin or password lock on my phone. If you manualy install custom certs on the android then you are forced to use a pin/password to protect the phone...


So, setup some iptable rules to force the traffic on my phone to pass threw a transperint burp suite running on my labtop. 


I first tested the phone webbrowser and worked very well, no obnoxious certificate errors (as expected)... but when I tried to sniff the snapchat app or facebook app it was a nogo...


Any ideas for sniffing the snapchat app or facebook app? Has any one tried?


I removed the pin/password from my phone and reconfigured a simple swipe phone unlock. This automaticly deletes the cert I installed from burp...

Link to comment
Share on other sites

I have not tested those applications that you are referring to, however some applications are implementing certificate pinning. The applications in those cases would stop processing requests is they see that the certificate they receive is not the one expected.

The pinning occurs by having the application check for hard coded values within the certificate. 

In your case, did the application still function correctly when trying to run it through burp? 

From my experience, I use ProxyDroid to set up the address of the machine that is running burp (requires root on device), sounds like you may have a different set up in your environment. 


Link to comment
Share on other sites

iptables -t nat -A PREROUTING -p tcp -s –dport 80,443 -j DNAT –to-destination


my setup is a home built debian based router with iptables. So running the above with a masquerade command will force the source ip(phone) to the destination ip(labtop)


snapchat app was just cut off the data response witch seems to match the description you explained...


However, the Facebook app was functional, no errors on the phone... but burp was not showing any data stream but some alerts and warnings that maybe burp suite decided to allow the traffic threw... I should have took a closer look at the traffic... seems like hsts stream(just a guess)

Link to comment
Share on other sites

Look at any of the talks by Arne Swinnen. He found a slew of issues in the Facebook and Instagram apps and indeed needed to do *something* within Burp, but I can't recall any more what it was. Here's a very recent one:


Link to comment
Share on other sites

I'm not so sure it matters in the situation. As long as traffic makes it to burp or another machine...


I'm looking at this from a pentest situation... if I install a cert on a device, I want to see the traffic in plain text...

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...