Back

Configuring Burp to proxy traffic from mobile apps

Your vote is:
4.92 of 103 votes

In this blog post, I'll explore how to configure Burp to proxy traffic from mobile apps to assist with the security testing of mobile applications.

Getting started

To get started, there are a few pre-requisites needed:

  1. Windows OS

    An up-to-date Windows OS with Android Debug Bridge (adb) installed.

  2. Kali VM

    An up-to-date Kali VM with Android Debug Bridge (adb) installed (run sudo apt-get install adb)

  3. Burp Suite

    An up-to-date Burp Suite.

  4. Mobile Device

    A rooted Android device (in this example I'm using a rooted Nexus 5X running LineageOS).

Configuring the Burp listener

  1. Open up Burp
  2. Setup listener

    Navigate to Proxy > Proxy settings > Proxy listeners then Add a new proxy listener and bind it to port 8081 across All interfaces

    Setup Burp listener

Connecting the mobile device

  1. Connect mobile device via USB

    Connect the Android mobile device (in this example I'm using a rooted Nexus 5X running LineageOS) via a USB data cable.

  2. Configure the USB connection

    On the device, navigate to Settings > Connected devices > USB and select Transfer files

    Configure USB connection

Mirroring the mobile device to desktop

    1. Download and install Vysor

      You can download Vysor from here.

    2. Run Vysor

      Open Vysor and select the View Device button with a play icon.

      Run Vysor

      Your Android mobile device should not be mirrored to your computer screen.

If Vysor cannot find your device, follow the steps below:
  1. (a) Restart your mobile device and restart your computer.
  2. (b) Make sure you are using a USB data cable. Charge cables will not always allow data transfer over USB.
  3. (c) On Windows, download the Universal ADB Drivers. If that doesn't work, try installing your manufacturer's drivers.
  4. (d) Enable ADB debugging on the mobile device.
  5. (e) Set your mobile device USB mode to PTP (it is usually MTP or Charge Only).

 

Configuring the mobile device proxy

  1. Configure the mobile device network

    On your Android mobile device, navigate to Settings > Network & Internet > Wi-Fi > and select the access point you wish to connect to. Then select Advanced options and set the Proxy to Manual

    If you're already connected to the access point before starting this step, ensure you first select Forget network

  2. Configure the mobile device proxy

    The proxy settings should be set as follows:

      1. (a) Proxy hostname = The IP address of the device using Burp which you wish to proxy traffic through
      2. (b) Proxy port = The port we set earlier which is 8081

    Example:

    Mobile proxy settings

    1. (c) Now click CONNECT

Exporting the CA Certificate

Now Burp is configured to intercept the Android mobile device traffic, but without a valid CA Certificate in place will be unable to decrypt HTTPS traffic.

  1. Export the CA certificate

    Open Burp and navigate to Proxy > Proxy settings > Proxy listeners then select the Import / export CA certificate button

  2. Select the CA certificate format

    Export the CA Certificate in DER format. In this example we will name it cacert.der

    DER format CA certificate

Converting the CA certificate format

  1. Convert the DER file into PEM

    Now we need to convert the DER file into PEM format for Android and have the filename equal to the subject_hash_old value appended with a .0. To achieve this, we can move the cacert.der file over to a Kali VM and execute the following commands:

    openssl x509 -inform DER -in cacert.der -out cacert.pem
    openssl x509 -inform PEM -subject_hash_old -in cacert.pem | head -1
    mv cacert.pem [hash].0

    Example:

    DER format CA certificate

  2. Move the PEM file to the mobile device

    Now we need to move the newly created PEM file over to the Android mobile device /system filesystem. To achieve this we can leverage the following adb commands:

    adb root
    adb remount
    adb push [cert].0 /sdcard/

    adb shell
    mv /sdcard/[cert].0 /system/etc/security/cacerts/
    chmod 644 /system/etc/security/cacerts/[cert].0
    exit

    adb reboot

    Example:

    DER format CA certificate

Verifying the CA certificate is installed

  1. Verify the certificate installation

    Once restarted, the CA Certificate should be installed on the Android mobile device. This can be verified by navigating to Settings > Security & privacy > Encryption & credentials > Trusted credentials and searching in the System directory to validate the CA Certificate from PortSwigger is present.

    PortSwigger CA certificate

ABOUT THE AUTHOR

Jacob Riggs

Jacob Riggs is a senior cyber security professional based in the UK with over a decade of experience working to improve the cyber security of various private, public, and third sector organisations. His contributions focus on expanding encryption tools, promoting crypto-anarchist philosophy, and pioneering projects centred on leveraging cryptography to protect the privacy and political freedoms of others.

E3FE 4B44 56F5 69BE 76C1 E169 E3C7 0A52 9AEF DB6F


Subscribe to my Blog


I agree with the Privacy Policy terms.
Loading...
.