diff --git a/src/mobile-pentesting/ios-pentesting/burp-configuration-for-ios.md b/src/mobile-pentesting/ios-pentesting/burp-configuration-for-ios.md index ec1c8182b4f..83c73cfc239 100644 --- a/src/mobile-pentesting/ios-pentesting/burp-configuration-for-ios.md +++ b/src/mobile-pentesting/ios-pentesting/burp-configuration-for-ios.md @@ -54,6 +54,34 @@ Notes: - If you use Burp, enable **Proxy --> Options --> Edit listener --> Request handling --> Support invisible proxying**. - `mitmproxy` can be used in the same layout if it is bound to the VPN listener IP and transparent-mode requirements are satisfied. +### Flutter iOS apps that ignore the system proxy + +Some **Flutter-based iOS applications** do not send traffic through the usual iOS Wi-Fi proxy settings because their networking lives inside **Dart `HttpClient` / BoringSSL** instead of the common native `NSURLSession` stack. In that situation, installing the Burp CA and configuring the Wi-Fi proxy can fail even on **non-jailbroken** devices. + +A practical workaround is to move interception **below the app proxy layer** and force the traffic through a **VPN-style proxy app** (for example, **Potatso**) that forwards device traffic to Burp. This recovers visibility when the app bypasses the explicit proxy configuration, but it is still **not a universal certificate-pinning bypass**: if the Flutter app performs hardcoded certificate/public-key validation, you will still need patching or instrumentation. + +Typical workflow: + +1. First try the normal iOS Wi-Fi proxy + trusted Burp CA setup. +2. If the Flutter app still does not appear in Burp, create a **manual HTTP proxy profile** in Potatso pointing to your Burp listener: + + ```text + Type: HTTP + Host: + Port: + ``` + +3. Connect the device through that Potatso profile so traffic is routed via the VPN/network layer instead of relying on the app to honor iOS proxy settings. +4. In Burp, enable **Proxy --> Options --> Edit listener --> Request handling --> Support invisible proxying** on that listener. +5. Relaunch the target Flutter app and confirm whether requests now reach Burp. + +Notes: + +- This is mainly useful for **Flutter apps that ignore the explicit system proxy**; it complements, but does not replace, CA installation and classic SSL-pinning bypasses. +- Potatso currently supports **manual HTTP(S)/SOCKS-style upstream proxy definitions** and, per the App Store listing used for this note, **requires iOS 17.0 or later**. +- If the target device runs an older iOS release, the technique still applies conceptually with any equivalent **VPN-based transparent forwarding tool** that can send device traffic to Burp/mitmproxy. +- Burp invisible proxying matters here because the traffic is **transparently redirected**, so the client is not behaving like a normal proxy-aware browser. + ### Advanced Configuration for Jailbroken Devices For users with jailbroken devices, SSH over USB (via **iproxy**) offers a method to route traffic directly through Burp: @@ -122,6 +150,8 @@ Steps to configure Burp as proxy: ## References +- [Bypassing SSL Pinning in Flutter-Based iOS Applications](https://medium.com/@drhatab/bypassing-ssl-pinning-in-flutter-based-ios-applications-54f420d2f1a1) +- [Potatso App Store listing](https://apps.apple.com/us/app/potatso/id1239860606) - [SSL Pinning Bypass for iOS -- iptables](https://github.com/SahilH4ck4you/iOS-SSL-pinning-bypass-without-jalibreak) - [Invisible proxying - PortSwigger](https://portswigger.net/burp/documentation/desktop/tools/proxy/invisible)