Recently I have been attempting several bug bounties through companies such as Bugcrowd, CrowdCurity, etc. For the latest bounty I was ready and waiting as soon as the details became available. However, after reading the details I was slightly disappointed, it was a mobile app. I haven't really gotten into testing of mobile apps and was hoping for a different bounty. Nevertheless I was ready for a bounty and this was a learning opportunity.
First thing I needed to do was map out the API, I searched for any documentation online that might give me some hints. While I didn't find official documentation I did find sample code on Github which leveraged the target API. Github is very useful for OSINT and developers love leaving you clues :).
Next I started looking at basic information I could obtain from the app itself. To do this I used Hopper which now has support for ARM based executables*. Even doing basic strings analysis provided detailed information on the API.
Finally, I needed to see the API in action which meant intercepting requests/responses from the app. This involved hooking my iphone up to Burp Suite. (ZAP should work the same) To configure Burp,
- Set the proxy to listen on the same interface as the network your mobile device is on.
- Configure the iOS device with a HTTP proxy using the details of the device running Burp
- Export the SSL cert from Burp and email it to your iOS device. You can directly install it similar to a profile on the device by simply clicking the attachment in the email. It can also be easily removed the same as a profile.
- Open the target app and you should see activity through the proxy. iOS is really chatty so you may want to filter based on scope of your target API URLs.
Using these methods I was able to successfully map out a fairly complex mobile app API and also learned a lot about iOS apps in general. It's interesting just how much info app owners can collect on you but more on that in another blog post.