Whether you're looking for vulnerabilities, shady and potentially malicious behavior or just lurking around, being able to intercept network communications while dissecting an app is usually a must. Here's how to do it.
Pre-requesites
- A rooted Android device/emulator with USB debugging enabled
- Burp Suite (the community edition is free to download)
Install Burp's certificate as a system trusted CA
- Export Burp's CA Certificate in DER format and save it as
cacert.der
- Convert it from DER to PEM:
Android system certificates are stored in PEM format with the following naming convention: subject_hash_old.0. Open the terminal and run the following lines one by one in order to convert it to the correct format with the correct name:
openssl x509 -inform DER -in cacert.der -out cacert.pem
openssl x509 -inform PEM -subject_hash_old -in cacert.pem | head -1
mv cacert.pem <output_from_above>.0
- Mount your Android device as system writable
Since we're going to write to system level directories it is necessary to mount the device as such. This can be accomplished with the following lines of code:
adb root
adb remountBut do note that if you're using an emulator you will need to start it with the -writable-system flag before doing this, for example:
emulator @Pixel_4a_API_32 -writable-system- Push your certificate to the device
To do this just run the following:
adb push <your_certificate.0> /system/etc/security/cacerts/
Like this:
Setup your device to connect to the Burp proxy
In order to do this first check what interface and port Burp is listening on and edit as necessary. I have Burp listening on port 8080 of localhost:
And then setup your device to use a proxy. You can do this from the network settings:
Or from the emulator control menu if using an Android emulator:
Intercept away
That's it! Now open the web browser on the device and confirm that you can intercept traffic in the Intercept and HTTP history tabs in Burp:
Other things to know
This alone will not intercept traffic of apps that implement SSL pinning. In those cases more work will be necessary. One option is to setup a transparent proxy rather than the traditional one we just did. And another is to use dynamic instumentation tools (Frida is the most famous) to attach to the app in question and run it with SSL unpinning scripts.
These topics will also be covered on this blog in the next couple of weeks, so if you're interested keep an eye out for the next article. Easiest way might be to follow me on Twitter.
Hope this was useful. Thanks for reading!
Bibliography: