Address
304 North Cardinal St.
Dorchester Center, MA 02124
Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM
I’ve had to proxy Android apps through Burp for engagements quite a few times, and I wanted to share how simple it is.
Android Apps through Burp – Introduction
When performing a mobile application security assessment, Burp makes life a lot easier. That said, proxying Android apps through Burp isn’t always straightforward, although it is fairly simple.
While I won’t cover ADB usage much here, you can find more examples in my Android Game Hacking post.
Preparing the Connection
First, you’ll need to connect your Android device to the computer you wish to proxy through.
Next, you’ll want to set up a reverse port-forward from your phone to your computer, using adb reverse.
This will forward anything on your phone that attempts to connect to localhost:8123, to the connected computer.
root@kali:~$ adb reverse tcp:8123 tcp:8123
With the reverse forward setup, you’ll want to set up the Android proxy settings. To do this, go to your network connections, edit the connection, and show the advanced options.
Burp Configuration
Once you’ve set up the Android device, you’ll need to configure Burp as well.
First, configure a proxy listener to listen on port 8123 (or any port of your choosing).
Once this is in place, you can see and sniff HTTP connections!
Certificate Configuration
If you want to intercept HTTPS connections, then you will need to perform a few more steps.
First, you will need to install the Burp certificate on your device.
Note that you will likely need to move and rename the downloaded file before you can install it.
root@flo:/ # mv sdcard/Download/cacert.der sdcard/Download/cacert.cer
After the move and rename, you can follow Portswigger’s directions, and install the certificate to your device.
With this installed, you can intercept and modify HTTPS connections!
Android Apps through Burp – Conclusion
While this is a fairly simple process, it still helps to have the steps laid out.
I don’t have to do a lot of mobile assessments, but I have to do these steps every time we wipe one of our devices.
If you wanted to test on real devices, then this could make certs like the eMAPT even more interesting!
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.
3 Comments
Leave a Reply
This site uses Akismet to reduce spam. Learn how your comment data is processed.
Hey mate
While this process is quite straight forward and can follow it through to intercept web browsing. Apps appears to be a different story.
The problem I’m having which I’m hoping you could address is what to do when apps have certificate pinning enabled and will NOT allow User Certificates.
I’ve been through rabbit holes of editing the App Manifest within the APK and repackaging it, to no avail.
Mind shedding some light here?
Cheers
JF
This is my Event Log from Burp showing the failed SSL negotiation https://imgur.com/a/9ZDQvbT
Hey JF,
Yea, those errors are normally going to be due to cert pinning. It will definitely vary from app to app, but you will have to find a way to disable or bypass it.
The two easiest options are to either edit the smalli and remove the functionality (hopefully I can blog about this as well), or root the device and disable cert pinning.