Proxy Android Apps through Burp for Mobile Assessments

I've had to proxy Android apps through Burp for engagements quite a few times, and I wanted to share how simple it is.

Android Apps through Burp - Introduction

When performing a mobile application security assessment, Burp makes life a lot easier. That said, proxying Android apps through Burp isn't always straightforward, although it is fairly simple.

While I won't cover ADB usage much here, you can find more examples in my Android Game Hacking post.

Preparing the Connection

First, you'll need to connect your Android device to the computer you wish to proxy through.

Next, you'll want to set up a reverse port-forward from your phone to your computer, using adb reverse.

This will forward anything on your phone that attempts to connect to localhost:8123, to the connected computer.

root@kali:~$ adb reverse tcp:8123 tcp:8123

With the reverse forward setup, you'll want to set up the Android proxy settings. To do this, go to your network connections, edit the connection, and show the advanced options.

Android Apps Through Burp - Proxy Setup

Burp Configuration

Once you've set up the Android device, you'll need to configure Burp as well.

First, configure a proxy listener to listen on port 8123 (or any port of your choosing).

Android Apps Through Burp - Burp config

Once this is in place, you can see and sniff HTTP connections!

Android Apps Through Burp - Burp connection

Certificate Configuration

If you want to intercept HTTPS connections, then you will need to perform a few more steps.

Android Apps Through Burp - SSL Error

First, you will need to install the Burp certificate on your device.

Note that you will likely need to move and rename the downloaded file before you can install it.

root@flo:/ # mv sdcard/Download/cacert.der sdcard/Download/cacert.cer

After the move and rename, you can follow Portswigger's directions, and install the certificate to your device.

Android Apps Through Burp - Certificate install

With this installed, you can intercept and modify HTTPS connections!

Android Apps Through Burp - HTTPS Interception

Android Apps through Burp - Conclusion

While this is a fairly simple process, it still helps to have the steps laid out.

I don't have to do a lot of mobile assessments, but I have to do these steps every time we wipe one of our devices.

If you wanted to test on real devices, then this could make certs like the eMAPT even more interesting!

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

3 Comments

Filed under Security Not Included

3 Responses to Proxy Android Apps through Burp for Mobile Assessments

  1. Jason Ford

    Hey mate

    While this process is quite straight forward and can follow it through to intercept web browsing. Apps appears to be a different story.
    The problem I’m having which I’m hoping you could address is what to do when apps have certificate pinning enabled and will NOT allow User Certificates.

    I’ve been through rabbit holes of editing the App Manifest within the APK and repackaging it, to no avail.

    Mind shedding some light here?
    Cheers
    JF

    • Jason Ford

      This is my Event Log from Burp showing the failed SSL negotiation https://imgur.com/a/9ZDQvbT

    • Hey JF,

      Yea, those errors are normally going to be due to cert pinning. It will definitely vary from app to app, but you will have to find a way to disable or bypass it.

      The two easiest options are to either edit the smalli and remove the functionality (hopefully I can blog about this as well), or root the device and disable cert pinning.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.