HTTP(S) Proxy for Android
Intercept traffic going from and to an emulated Android device with Burp Suite
When you have an Android emulator set up in Android Studio, you can change some settings to be able to intercept traffic in a Proxy like Burp Suite. This can be really useful when you want to view or test web functionality that an app uses, as this might reveal interesting vulnerabilities because developers might not expect the app to be reverse-engineered in this way.
Setup
All information is taken from this article by secabit.
Export CA Certificate
The first step is to get a certificate file from Burp Suite, to be able to intercept encrypted HTTPS traffic as well.
Open Burp Suite, and go to Proxy -> Options. From there click the Import/export CA certificate button, and choose for exporting a Certificate in DER format. You should save it with the name: cacert.der
.
Convert the Certificate
Here we change the format of the certificate to one that Android expects. Simply run the following command:
This will create a cacert.pem
file, from which we will need the issuer hash value. We can get this with a simple command like this:
Your hash may be different, but you simply have to append .0
to it to get the correct filename:
Install the Certificate on Android
Make sure to use an API version < 29 (Android 10) to avoid issues with permissions on the /system
folder
In this step, we need to move the certificate from our machine to the Android device. To do this, we need to set a -writable-system
flag on the device. On Android Studio the location of the enumator
tool is one of the following:
Windows:
%LOCALAPPDATA%\Android\sdk\emulator\emulator.exe
Linux:
/usr/share/android-sdk/emulator/emulator
or:~/Android/Sdk/emulator/emulator
Use this tool to set this flag on your device:
This will start the phone, with a writable system directory. Now we can place the created certificate there with ADB:
Now that the /system
folder it writable, we will put the certificate in the /system/etc/security/cacerts
folder:
Finally, reboot the device to apply the changes:
To verify if this worked, you can start the device again in Android Studio and look at Settings -> Security -> Trusted Credentials which should show PortSwigger now:
Another way to install the certificate manually without root ADB access can be found in this article (tested for Android 11)
Connecting to the Proxy
Finally, you can make any traffic on your emulated device and it should show up in the Burp Suite HTTP history, as well as being able to intercept and change traffic.
If your Burp Suite proxy is not on localhost (127.0.0.1), you will need to set a different Host name and also edit the Proxy Listener from its Options menu. For Bind to address choose All interfaces to allow connections from anywhere. In this case, also make sure that your firewall is not blocking the listening port.
Last updated