HTTP(S) Proxy for Android

Intercept traffic going from and to an emulated Android device with Burp Suite

When you have an Android emulator set up in Android Studio, you can change some settings to be able to intercept traffic in a Proxy like Burp Suite. This can be really useful when you want to view or test web functionality that an app uses, as this might reveal interesting vulnerabilities because developers might not expect the app to be reverse-engineered in this way.

Setup

All information is taken from this article by secabit.

Export CA Certificate

The first step is to get a certificate file from Burp Suite, to be able to intercept encrypted HTTPS traffic as well.

Open Burp Suite, and go to Proxy -> Options. From there click the Import/export CA certificate button, and choose for exporting a Certificate in DER format. You should save it with the name: cacert.der.

Convert the Certificate

Here we change the format of the certificate to one that Android expects. Simply run the following command:

$ openssl x509 -inform DER -in cacert.der -out cacert.pem

This will create a cacert.pem file, from which we will need the issuer hash value. We can get this with a simple command like this:

$ openssl x509 -inform PEM -subject_hash_old -in cacert.pem | head -1
9a5ba575

Your hash may be different, but you simply have to append .0 to it to get the correct filename:

$ mv cacert.pem 9a5ba575.0

Install the Certificate on Android

Make sure to use an API version < 29 (Android 10) to avoid issues with permissions on the /system folder

In this step, we need to move the certificate from our machine to the Android device. To do this, we need to set a -writable-system flag on the device. On Android Studio the location of the enumator tool is one of the following:

  • Windows: %LOCALAPPDATA%\Android\sdk\emulator\emulator.exe

  • Linux: /usr/share/android-sdk/emulator/emulator or: ~/Android/Sdk/emulator/emulator

Use this tool to set this flag on your device:

$ emulator -list-avds
PixelXL27
$ emulator -avd PixelXL27 -writable-system

This will start the phone, with a writable system directory. Now we can place the created certificate there with ADB:

$ adb root  # Start ADB daemon as root
restarting adbd as root
$ adb remount  # Remount /system to update read-only to writable
remount succeeded

Now that the /system folder it writable, we will put the certificate in the /system/etc/security/cacerts folder:

$ adb push 9a5ba575.0 /system/etc/security/cacerts  # Copy the file onto the device
$ adb shell "chmod 664 /system/etc/security/cacerts/9a5ba575.0"  # Set the correct permissions

Finally, reboot the device to apply the changes:

$ adb reboot

To verify if this worked, you can start the device again in Android Studio and look at Settings -> Security -> Trusted Credentials which should show PortSwigger now:

Another way to install the certificate manually without root ADB access can be found in this article (tested for Android 11)

Connecting to the Proxy

Finally, you can make any traffic on your emulated device and it should show up in the Burp Suite HTTP history, as well as being able to intercept and change traffic.

If your Burp Suite proxy is not on localhost (127.0.0.1), you will need to set a different Host name and also edit the Proxy Listener from its Options menu. For Bind to address choose All interfaces to allow connections from anywhere. In this case, also make sure that your firewall is not blocking the listening port.

Last updated