Proxy Android Apps through Burp for Mobile Assessments

I’ve had to proxy Android apps through Burp for engagements quite a few times, and I wanted to share how simple it is.

Android Apps through Burp – Introduction

When performing a mobile application security assessment, Burp makes life a lot easier. That said, proxying Android apps through Burp isn’t always straightforward, although it is fairly simple.

While I won’t cover ADB usage much here, you can find more examples in my Android Game Hacking post.

Preparing the Connection

First, you’ll need to connect your Android device to the computer you wish to proxy through.

Next, you’ll want to set up a reverse port-forward from your phone to your computer, using adb reverse.

This will forward anything on your phone that attempts to connect to localhost:8123, to the connected computer.

[email protected]:~$ adb reverse tcp:8123 tcp:8123

With the reverse forward setup, you’ll want to set up the Android proxy settings. To do this, go to your network connections, edit the connection, and show the advanced options.

Android Apps Through Burp - Proxy Setup

Burp Configuration

Once you’ve set up the Android device, you’ll need to configure Burp as well.

First, configure a proxy listener to listen on port 8123 (or any port of your choosing).

Android Apps Through Burp - Burp config

Once this is in place, you can see and sniff HTTP connections!

Android Apps Through Burp - Burp connection

Certificate Configuration

If you want to intercept HTTPS connections, then you will need to perform a few more steps.

Android Apps Through Burp - SSL Error

First, you will need to install the Burp certificate on your device.

Note that you will likely need to move and rename the downloaded file before you can install it.

[email protected]:/ # mv sdcard/Download/cacert.der sdcard/Download/cacert.cer

After the move and rename, you can follow Portswigger’s directions, and install the certificate to your device.

Android Apps Through Burp - Certificate install

With this installed, you can intercept and modify HTTPS connections!

Android Apps Through Burp - HTTPS Interception

Android Apps through Burp – Conclusion

While this is a fairly simple process, it still helps to have the steps laid out.

I don’t have to do a lot of mobile assessments, but I have to do these steps every time we wipe one of our devices.

If you wanted to test on real devices, then this could make certs like the eMAPT even more interesting!

3 Comments

  1. Hey mate

    While this process is quite straight forward and can follow it through to intercept web browsing. Apps appears to be a different story.
    The problem I’m having which I’m hoping you could address is what to do when apps have certificate pinning enabled and will NOT allow User Certificates.

    I’ve been through rabbit holes of editing the App Manifest within the APK and repackaging it, to no avail.

    Mind shedding some light here?
    Cheers
    JF

    • Hey JF,

      Yea, those errors are normally going to be due to cert pinning. It will definitely vary from app to app, but you will have to find a way to disable or bypass it.

      The two easiest options are to either edit the smalli and remove the functionality (hopefully I can blog about this as well), or root the device and disable cert pinning.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Address
304 North Cardinal St.
Dorchester Center, MA 02124

Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM