HTTP(S) Proxy for Android
Intercept traffic going from and to an emulated Android device with Burp Suite
Last updated
Intercept traffic going from and to an emulated Android device with Burp Suite
Last updated
When you have an Android emulator set up in Android Studio, you can change some settings to be able to intercept traffic in a Proxy like Burp Suite. This can be really useful when you want to view or test web functionality that an app uses, as this might reveal interesting vulnerabilities because developers might not expect the app to be reverse-engineered in this way.
All information is taken from .
The first step is to get a certificate file from Burp Suite, to be able to intercept encrypted HTTPS traffic as well.
Open Burp Suite, and go to Proxy -> Options. From there click the Import/export CA certificate button, and choose for exporting a Certificate in DER format. You should save it with the name: cacert.der.
Here we change the format of the certificate to one that Android expects. Simply run the following command:
This will create a cacert.pem file, from which we will need the issuer hash value. We can get this with a simple command like this:
Your hash may be different, but you simply have to append .0 to it to get the correct filename:
Make sure to use an API version < 29 (Android 10) to avoid issues with permissions on the /system folder
In this step, we need to move the certificate from our machine to the Android device. To do this, we need to set a -writable-system flag on the device. On Android Studio the location of the enumator tool is one of the following:
Windows: %LOCALAPPDATA%\Android\sdk\emulator\emulator.exe
Linux: /usr/share/android-sdk/emulator/emulator
or: ~/Android/Sdk/emulator/emulator
Use this tool to set this flag on your device:
Now that the /system folder it writable, we will put the certificate in the /system/etc/security/cacerts folder:
Finally, reboot the device to apply the changes:
To verify if this worked, you can start the device again in Android Studio and look at Settings -> Security -> Trusted Credentials which should show PortSwigger now:
Finally, you can make any traffic on your emulated device and it should show up in the Burp Suite HTTP history, as well as being able to intercept and change traffic.
If your Burp Suite proxy is not on localhost (127.0.0.1), you will need to set a different Host name and also edit the Proxy Listener from its Options menu. For Bind to address choose All interfaces to allow connections from anywhere. In this case, also make sure that your firewall is not blocking the listening port.
This will start the phone, with a writable system directory. Now we can place the created certificate there with :
Another way to install the certificate manually without root ADB access can be found (tested for Android 11)
Now that this is set up, you can visit the settings of the device by clicking the three dots and visiting Settings -> Proxy. Here you can set a Manual proxy configuration to the hostname and port of your proxy:
