Configuring Two-Proxy Solution Using mitmproxy for Facebook Mobile Research

As Meta rolled out TLS 1.3 across its mobile applications to increase end-to-end security, some security researchers have discovered that they no longer have the ability to intercept traffic from Meta’s mobile apps such as Facebook to Burp Suite, even when using Whitehat Settings. While we continue to diagnose this issue (we believe it is related to a JDK bug in TLS record parsing), we wanted to publish a workaround that should allow researchers to use Burp suite for mobile app testing.

Using mitmproxy as an Alternative Proxy

mitmproxy is a well-known proxy server that can perform many useful functions including recording proxied traffic, but also intercepting, match/replace, traffic manipulation, etc.

In our testing we found that mitmproxy was able to proxy the traffic from the Facebook mobile app in its default configuration, with no special changes. Purely for traffic inspection, mitmproxy is a fine option for researchers who just want to monitor traffic outside of Burp suite.

However, we know that many researchers are comfortable with Burp suite and use the rich plugin ecosystem to build advanced research capabilities. Fortunately, mitmproxy is able to bring a solution for researchers using its upstream proxy configuration.

Using mitmproxy with Burp as an upstream Proxy

In this configuration we’re using mitmproxy as a proxy layer which will downgrade incoming TLS 1.3 traffic to TLS 1.2 and then forward it on to Burp. The chain looks like this:

image of how mitmproxy acts as a proxy layer between a mobile device to Facebook

We’ll have the following ports in use:

  • mitmproxy will listen on port 8645
  • Burp Proxy will listen on port 8646
  • The mobile device will connect to the proxy on port 8645

We’ll launch mitmproxy with the following command-line arguments. This will set up a listener on port 8645, and ensure that proxy traffic leaving mitmproxy will use only TLS 1.2 (the traffic being sent to Burp Proxy).

mitmproxy --mode upstream:http://127.0.0.1:8646 --set tls_version_server_min=TLS1_2 --set tls_version_server_max=TLS1_2 --ssl-insecure -p 8645

We’ll configure Burp Proxy on port 8646 as normal.

We’ll configure the Facebook mobile app via Whitehat Settings to “Proxy for Platform API Requests” at <lab machine IP>:8645 e.g. 10.10.11.159:8645 and ensure cert pinning is disabled with “Allow user installed certificates” enabled. Note that with this configuration the TLS 1.3 setting is not relevant and can be left at the default.

image of configuring whitehat settings on the Facebook mobile app

Ensure you install the CA certificate from mitmproxy on the device per these instructions.

Restart the Facebook app and you should see traffic flowing both to mitmproxy as well as to Burp Suite!

image showing traffic flowing to mitmproxy and Burp Suite