On this blog post I want to go through how to setup your Android phone to send traffic to Burp Suite.
Prerequisites
This tutorial will not go through how to connect your phone to be used for developing. Check the tutorial from Android Developer website if you haven't done that before.
The phone you use doesn't need to be rooted, but USB debugging from developer options needs to be set.
You should also know basics of Burp Suite.
My setup:
I'm using a rooted Pixel 6a
Android 13
Ubuntu 22.04.3 LTS
Android Platform Tools downloaded
If you are new to adb, I recommend you to get familiar with it first.
Tutorial
Let's just get started then!
Download and install Burp Suite Community
Burp Suite is a software security application that is used for security testing of applications. There is a free version available that you can use if you don't have a licence.
This tutorial is not going to go through how to use Burp Suite, so you should first familiarize yourself with the application if you are new to it. There are great tutorials on Portswigger that can help you get started.
Make sure intercept is off.
Get Burp certificate
To interact with HTTPS
traffic, we need to install a CA certificate on our android device.
Go to Proxy tab and choose Proxy settings. Click on Import/export CA certificate
and choose Certificate in DER format
.
Choose a location to save the file to on the next window. Name the file for example cert.der
.
Convert the cert to a valid format
A DER (Distinguished Encoding Rules) file is a digital certificate file that is created and stored in a binary format. It is a binary encoding for the X.509 certificates and private keys. In contrast to PEM (Privacy Enhanced Mail) files, DER files do not contain human-readable plain text statements such as —–BEGIN CERTIFICATE—–.
Using terminal, go to the location where you saved the DER file and convert it to .pem
:
openssl x509 -inform der -in cert.der -out cert.pem
Push the cert to the device
Connect your phone to the computer using a cable and set the phone to file transfer
mode. Make sure USB debugging is enabled from developer options.
You can check all the connected devices by going to platform-tools folder and by calling:
./adb devices
That command lists the connected devices and shows their id:
List of devices attached
331[REDACTED]804 device
If your device is listed with an id, it means the connection between phone and the computer should be ok.
Next, run the following command:
./adb push /path-to-file/cert.pem /sdcard/Download
This command will push the file to the Download
folder on your phone.
If you don't know the path to a file, you can go to the folder where the file is located and run pwd
in the terminal. This command returns the path to the current folder you are in.
Install cert on device
Open Setting on your phone, search for certificate
and go to Install a certificate
. Click on CA certificate
.
The phone will show a warning about Your data won't be private
and it will remind you to only install a certificate from an organization you trust. By installing this certificate, you can display requests sent from the phone on Burp Suite application. This means that also some sensitive data could be sent to Burp Suite. You shouldn't use your personal phone whenever you play around with all these tools.
Click Install anyway
and locate the cert.pem
file we copied to the phone.
Configure the device proxy
On the phone go to WiFi and click on the one you are connected to. Use the pencil icon (edit button) and go to Advanced options.
Go to Proxy
and choose Manual
. Insert localhost
to Proxy host and 8080
to Proxy port. Save the settings.
Configure port forwarding
Sometimes you might need to configure port forwarding to get the proxy working. If the proxy doesn't work, you can run the following command:
./adb reverse tcp:8080 tcp:8080
adb reverse
is a command that allows you to expose a port on your Android device to a port on your computer. Now when your phone tries to access the port 8080 (the common port for web traffic), your request will be routed to port 8080 of your computer.
Open a browser and test if http://example.com
and https://example.com
works. Both of these websites should now be sending traffic to Burp Suite Proxy tab.
That's it!
I hope this blog post helped you to understand how Burp Suite can be setup to be used on Android!
Follow me on Instagram @whatminjahacks for a behind-the-scenes look at my work as an Information Security Specialist at 2NS, and to learn more cybersecurity tips and insights!