Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Intercept mobile app traffic with VPN activated

Verónica | Last updated: May 19, 2020 05:53AM UTC

I'm trying to intercept API calls from mobile app. The issue here is both ios/Android apps using vpn to connect to the server, so communication between them and burpsuite does not exist. Is there a way to configure this?

Michelle, PortSwigger Agent | Last updated: May 19, 2020 11:56AM UTC

Could you tell us a bit more about your scenario and some more detail on the tests you want to set up?

Verónica | Last updated: May 31, 2020 05:29PM UTC

here you can see how I set the env up https://blog.qiscus.com/2019/03/08/use-burp-suite-mobile-app-testing/ all worked as expected but, as mobile app needs VPN to access server, as soon as I activate it, API calls stop being intercepted by Burpsuite

Verónica | Last updated: May 31, 2020 05:29PM UTC

here you can see how I set the env up https://blog.qiscus.com/2019/03/08/use-burp-suite-mobile-app-testing/ all worked as expected but, as mobile app needs VPN to access server, as soon as I activate it, API calls stop being intercepted by Burpsuite

Michelle, PortSwigger Agent | Last updated: Jun 01, 2020 02:10PM UTC

Is the VPN client running on the mobile device or on the system running Burp? Does the VPN use split tunnelling or does it enforce full tunnel mode?

Verónica | Last updated: Jun 01, 2020 06:04PM UTC

I have two apps to test with. One of them needs VPN client running on the mobile device and the other is running where BurpS is. My first prio is the one with VPN running on mobile device. I would say it's full tunnel mode, but I'm not 100% sure, how could I verify that?

Michelle, PortSwigger Agent | Last updated: Jun 02, 2020 10:31AM UTC

You may be able to find a reference to whether the VPN client is using split tunnel or full tunnel mode in the client itself or you may need to contact the people who administer the VPN. Usually, it is best to have the VPN on the device that Burp is installed on to avoid complications with how the traffic is being routed, so it may be easiest to perform troubleshooting on that application first. Have you tried using the browser on the mobile device to confirm how traffic is being routed and whether traffic is intercepted by Burp?

Jackbanks | Last updated: Jun 04, 2020 11:16AM UTC

Express VPN works best for me. There support is so good and I never had a problem streaming Netflix or Disney plus with it.

Jackbanks | Last updated: Jun 07, 2020 05:23PM UTC

I also suggest all my friends reading this review <a href="https://webguidevpn.com/best-vpn-for-canada/">webguidevpn.com/best-vpn-for-canada/</a> about VPN before installing and buying.

Jackbanks | Last updated: Jun 07, 2020 05:23PM UTC

[url]webguidevpn.com/best-vpn-for-canada/[/url]

Verónica | Last updated: Jun 08, 2020 09:47AM UTC

I managed to recreate the scenario using an app without VPN needed but, according to https://portswigger.net/support/configuring-an-android-device-to-work-with-burp, it seems this only works when user tries to route traffic from web application in device, not from android APP

Verónica | Last updated: Jun 08, 2020 09:47AM UTC

I managed to recreate the scenario using an app without VPN needed but, according to https://portswigger.net/support/configuring-an-android-device-to-work-with-burp, it seems this only works when user tries to route traffic from web application in device, not from android APP

Michelle, PortSwigger Agent | Last updated: Jun 08, 2020 02:41PM UTC

Could you talk us through the steps you took to set things up and what problems you had? Was the android APP here one of the ones that uses a VPN or a different one?

Chaitanya | Last updated: May 06, 2021 10:50AM UTC

I have a client VPN that is required to run a application on my iOS device, Once I start intercepting the traffic as mentioned above I'm unable to capture the traffic on burp suite. Can anyone help me on this.

Chaitanya | Last updated: May 06, 2021 10:50AM UTC

I have a client VPN that is required to run a application on my iOS device, Once I start intercepting the traffic as mentioned above I'm unable to capture the traffic on burp suite. Can anyone help me on this.

Michelle, PortSwigger Agent | Last updated: May 06, 2021 02:20PM UTC

Is the VPN running on the same iOS device as the application? Could the VPN be moved so that it is running on the same device as Burp, so the traffic could be encrypted and sent down the VPN tunnel once it had passed through Burp?

Chaitanya | Last updated: May 10, 2021 12:49PM UTC

Yes the VPN is on the same mobile device. I tried to install the vpn to the device where burp is running. This did not work.

Michelle, PortSwigger Agent | Last updated: May 11, 2021 07:39AM UTC

If the VPN on the mobile device tunnels all traffic via the VPN tunnel then the mobile device will not be able to re-route the traffic via Burp on the other machine. Could the VPN be installed on the same device as Burp so that traffic can be sent from the mobile device to Burp and then via the VPN?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.