Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

iOS Testing - Burp active but not able to see HTTP requests

Ignacio | Last updated: Mar 02, 2022 06:00PM UTC

Hello, I recently had to test an iOS application downloaded from the App Store. First, I configured the certificate in my testing device and confirmed that Burp was working correctly by seeing HTTPS traffic in the History tab. Also, I ran the application without issues and used it for a while (login, logout, registered a new account, etc.) to generate traffic. My problem is that although I could see HTTPS requests, I couldn't intercept the main requests addressed to the application's endpoint. All I could see were some requests addressed to iTunes and to an analytic service. There are no signs of SSL pinning either, as I didn't observe any communication error in the dashboard. This makes me scratch my head, as I can't understand what I am missing here. I can see every request except the ones that are from the application. What would you do next to understand this issue? How would you inspect the traffic deeper within an iOS device?

Ben, PortSwigger Agent | Last updated: Mar 03, 2022 08:44AM UTC

Hi Ignacio, It sounds like the app that you are trying to test is publicly available from the app store - is that correct? If so, can you let us know what the app is called and we can take a look at this for you. A few things to consider in the meantime - Is the app definitely using the HTTP protocol for communication? Is it possible that the app is not adhering to the system proxy and is sending requests directly?

Ignacio | Last updated: Mar 03, 2022 08:38PM UTC

Hey Ben, Sure, the application is called 'Rec Room - Play with friends!', and it's available on many platforms, including iOS and Android. I can't guarantee that it uses only the HTTP protocol, but I was presuming this based on their REST API (rec-room.fandom.com/wiki/Current_Api_Documentation). I guess it is a possibility that they may be sending the HTTP requests directly, but I'm uncertain how to check that. Thanks

Ben, PortSwigger Agent | Last updated: Mar 04, 2022 02:12PM UTC

Hi Ignacio, I will see if I can obtain the app in question and take a look. If you have setup your proxy and it is working for HTTP/S browser traffic without any errors then that would suggest the integrity of your initial setup/connection is good. If, with the proxy settings in place, the app functions as expected but you do not see any traffic in Burp then that would likely suggest one of two things. Either the app is not communicating via HTTP and Burp is simply not interested in the traffic being generated or the app is not using the system proxy when issuing requests. If the app is working as expected then obviously any requests that the app is making are reaching the target destination (by virtue of the fact the app is working as expected). There are some development frameworks that do not necessarily adhere to the system proxy settings by default and require the developers to specifically allow this (Flutter being one such framework).

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.