🚩
Practical CTF
BlogContact
  • 🚩Home - Practical CTF
  • 🌐Web
    • Enumeration
      • Finding Hosts & Domains
      • Masscan
      • Nmap
      • OSINT
    • Client-Side
      • Cross-Site Scripting (XSS)
        • HTML Injection
        • Content-Security-Policy (CSP)
      • CSS Injection
      • Cross-Site Request Forgery (CSRF)
      • XS-Leaks
      • Window Popup Tricks
      • Header / CRLF Injection
      • WebSockets
      • Caching
    • Server-Side
      • SQL Injection
      • NoSQL Injection
      • GraphQL
      • XML External Entities (XXE)
      • HTTP Request Smuggling
      • Local File Disclosure
      • Arbitrary File Write
      • Reverse Proxies
    • Frameworks
      • Flask
      • Ruby on Rails
      • NodeJS
      • Bun
      • WordPress
      • Angular
    • Chrome Remote DevTools
    • ImageMagick
  • 🔣Cryptography
    • Encodings
    • Ciphers
    • Custom Ciphers
      • Z3 Solver
    • XOR
    • Asymmetric Encryption
      • RSA
      • Diffie-Hellman
      • PGP / GPG
    • AES
    • Hashing
      • Cracking Hashes
      • Cracking Signatures
    • Pseudo-Random Number Generators (PRNG)
    • Timing Attacks
    • Blockchain
      • Smart Contracts
      • Bitcoin addresses
  • 🔎Forensics
    • Wireshark
    • File Formats
    • Archives
    • Memory Dumps (Volatility)
    • VBA Macros
    • Grep
    • Git
    • File Recovery
  • ⚙️Reverse Engineering
    • Ghidra
    • Angr Solver
    • Reversing C# - .NET / Unity
    • PowerShell
  • 📟Binary Exploitation
    • ir0nstone's Binary Exploitation Notes
    • Reverse Engineering for Pwn
    • PwnTools
    • ret2win
    • ret2libc
    • Shellcode
    • Stack Canaries
    • Return-Oriented Programming (ROP)
      • SigReturn-Oriented Programming (SROP)
      • ret2dlresolve
    • Sandboxes (chroot, seccomp & namespaces)
    • Race Conditions
  • 📲Mobile
    • Setup
    • Reversing APKs
    • Patching APKs
    • HTTP(S) Proxy for Android
    • Android Backup
    • Compiling C for Android
    • iOS
  • 🌎Languages
    • PHP
    • Python
    • JavaScript
      • Prototype Pollution
      • postMessage Exploitation
    • Java
    • C#
    • Assembly
    • Markdown
    • LaTeX
    • JSON
    • YAML
    • CodeQL
    • NASL (Nessus Plugins)
    • Regular Expressions (RegEx)
  • 🤖Networking
    • Modbus - TCP/502
    • Redis/Valkey - TCP/6379
  • 🐧Linux
    • Shells
    • Bash
    • Linux Privilege Escalation
      • Enumeration
      • Networking
      • Command Triggers
      • Command Exploitation
      • Outdated Versions
      • Network File Sharing (NFS)
      • Docker
      • Filesystem Permissions
    • Analyzing Processes
  • 🪟Windows
    • The Hacker Recipes - AD
    • Scanning/Spraying
    • Exploitation
    • Local Enumeration
    • Local Privilege Escalation
    • Windows Authentication
      • Kerberos
      • NTLM
    • Lateral Movement
    • Active Directory Privilege Escalation
    • Persistence
    • Antivirus Evasion
    • Metasploit
    • Alternate Data Streams (ADS)
  • ☁️Cloud
    • Kubernetes
    • Microsoft Azure
  • ❔Other
    • Business Logic Errors
    • Password Managers
    • ANSI Escape Codes
    • WSL Tips
Powered by GitBook
On this page
  • Setup
  • Export CA Certificate
  • Convert the Certificate
  • Install the Certificate on Android
  • Connecting to the Proxy
  1. Mobile

HTTP(S) Proxy for Android

Intercept traffic going from and to an emulated Android device with Burp Suite

PreviousPatching APKsNextAndroid Backup

Last updated 1 year ago

When you have an Android emulator set up in Android Studio, you can change some settings to be able to intercept traffic in a Proxy like Burp Suite. This can be really useful when you want to view or test web functionality that an app uses, as this might reveal interesting vulnerabilities because developers might not expect the app to be reverse-engineered in this way.

Setup

All information is taken from .

Export CA Certificate

The first step is to get a certificate file from Burp Suite, to be able to intercept encrypted HTTPS traffic as well.

Open Burp Suite, and go to Proxy -> Options. From there click the Import/export CA certificate button, and choose for exporting a Certificate in DER format. You should save it with the name: cacert.der.

Convert the Certificate

Here we change the format of the certificate to one that Android expects. Simply run the following command:

$ openssl x509 -inform DER -in cacert.der -out cacert.pem

This will create a cacert.pem file, from which we will need the issuer hash value. We can get this with a simple command like this:

$ openssl x509 -inform PEM -subject_hash_old -in cacert.pem | head -1
9a5ba575

Your hash may be different, but you simply have to append .0 to it to get the correct filename:

$ mv cacert.pem 9a5ba575.0

Install the Certificate on Android

Make sure to use an API version < 29 (Android 10) to avoid issues with permissions on the /system folder

In this step, we need to move the certificate from our machine to the Android device. To do this, we need to set a -writable-system flag on the device. On Android Studio the location of the enumator tool is one of the following:

  • Windows: %LOCALAPPDATA%\Android\sdk\emulator\emulator.exe

  • Linux: /usr/share/android-sdk/emulator/emulator or: ~/Android/Sdk/emulator/emulator

Use this tool to set this flag on your device:

$ emulator -list-avds
PixelXL27
$ emulator -avd PixelXL27 -writable-system
$ adb root  # Start ADB daemon as root
restarting adbd as root
$ adb remount  # Remount /system to update read-only to writable
remount succeeded

Now that the /system folder it writable, we will put the certificate in the /system/etc/security/cacerts folder:

$ adb push 9a5ba575.0 /system/etc/security/cacerts  # Copy the file onto the device
$ adb shell "chmod 664 /system/etc/security/cacerts/9a5ba575.0"  # Set the correct permissions

Finally, reboot the device to apply the changes:

$ adb reboot

To verify if this worked, you can start the device again in Android Studio and look at Settings -> Security -> Trusted Credentials which should show PortSwigger now:

Connecting to the Proxy

Finally, you can make any traffic on your emulated device and it should show up in the Burp Suite HTTP history, as well as being able to intercept and change traffic.

If your Burp Suite proxy is not on localhost (127.0.0.1), you will need to set a different Host name and also edit the Proxy Listener from its Options menu. For Bind to address choose All interfaces to allow connections from anywhere. In this case, also make sure that your firewall is not blocking the listening port.

This will start the phone, with a writable system directory. Now we can place the created certificate there with :

Another way to install the certificate manually without root ADB access can be found (tested for Android 11)

Now that this is set up, you can visit the settings of the device by clicking the three dots and visiting Settings -> Proxy. Here you can set a Manual proxy configuration to the hostname and port of your proxy:

📲
this article by secabit
in this article
ADB
Set the Host name and Port number to the correct values where Burp Suite is listening