Critical mobile applications often implement complex security features in order to protect their data and functionalities. Periodical challenge-response checks aimed at verifying the signature of the application files and preventing requests sent outside the mobile application (that stops for example the web application scanners), encryption of the body of the POST requests and responses with a combination of symmetrical and asymmetrical encryption, custom encryption functions used to encrypt and decrypt critical data. These are all examples of security features that can make the penetration test of a mobile application a very long nightmare.
Brida is born with the purpose of helping the penetration tester/hacker to bypass this kind of security features and reach quickly the core of target application. Brida is a plugin that acts as a bridge between Burp Suite (the de-facto standard tool in web application pentesting) and Frida (a multi-platform dynamic code instrumentation toolkit). Thanks to Brida it is possible to delegate the management of the security features to the mobile application itself, by calling application functions with Frida directly from Burp Suite.
An example? We want to scan a particular request but every five requests the backend sends a challenge to the application asking for a response. OK, we can use Brida to ask the mobile application to compute the response and return it to the backend every time we receive the challenge. Another one? The mobile application encrypts all communications with the backend, preventing us from inspecting and modifying traffic. Do we need to reverse all cryptographical code and implement a complex Burp Suite plugin that decrypts/encrypts requests and responses? No, we can simply use Brida to ask the mobile application to decrypt every request and to encrypt it again after our changes.
Federico Dotta
Piergiovanni Cipolloni
