I’ve had to proxy Android apps through Burp for engagements quite a few times, and I wanted to share how simple it is.
Android Apps through Burp – Introduction
When performing a mobile application security assessment, Burp makes life a lot easier. That said, proxying Android apps through Burp isn’t always straightforward, although it is fairly simple.
While I won’t cover ADB usage much here, you can find more examples in my Android Game Hacking post.
Preparing the Connection
First, you’ll need to connect your Android device to the computer you wish to proxy through.
Next, you’ll want to set up a reverse port-forward from your phone to your computer, using adb reverse.
This will forward anything on your phone that attempts to connect to localhost:8123, to the connected computer.
[email protected]:~$ adb reverse tcp:8123 tcp:8123
With the reverse forward setup, you’ll want to set up the Android proxy settings. To do this, go to your network connections, edit the connection, and show the advanced options.
Once you’ve set up the Android device, you’ll need to configure Burp as well.
First, configure a proxy listener to listen on port 8123 (or any port of your choosing).
Once this is in place, you can see and sniff HTTP connections!
If you want to intercept HTTPS connections, then you will need to perform a few more steps.
First, you will need to install the Burp certificate on your device.
Note that you will likely need to move and rename the downloaded file before you can install it.
[email protected]:/ # mv sdcard/Download/cacert.der sdcard/Download/cacert.cer
After the move and rename, you can follow Portswigger’s directions, and install the certificate to your device.
With this installed, you can intercept and modify HTTPS connections!
Android Apps through Burp – Conclusion
While this is a fairly simple process, it still helps to have the steps laid out.
I don’t have to do a lot of mobile assessments, but I have to do these steps every time we wipe one of our devices.
If you wanted to test on real devices, then this could make certs like the eMAPT even more interesting!
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.