Home > Android Pentesting

Burp Suite Proxy Setup (Android Traffic Intercept)

Intercepting Android traffic through Burp Suite is one of the most important parts of mobile pentesting. This chapter provides a full-length, hands-on, complete guide covering Burp configuration, device proxy setup, CA certificate installation, Android 7+ restrictions, system CA injection, SSL pinning bypass, Frida integration, network debugging, and troubleshooting.

This applies to:

  • Android Studio Emulator

  • Genymotion

  • Rooted physical devices

  • Non-rooted devices (limited but still possible)

Installing and Configuring Burp Suite

Open Burp Suite and go to:

Proxy → Options → Proxy Listeners

Ensure a listener exists on:

  • Interface: All interfaces or your LAN IP

  • Port: 8080 (default)

If not, add a new listener.

Enable:

  • "Support invisible proxying"

  • "Allow interception of TLS connections"

Save settings.

Find your computer’s IP:

  • Windows: ipconfig

  • Linux/macOS: ifconfig

You will use this IP as the proxy for Android.

Exporting Burp Certificate (Android-Compatible)

Burp → Proxy → Options →

Click: Export Certificate → DER format

Save file as:

cacert.der

This will be installed inside the Android device/emulator.

Setting Proxy on Android (Manual Configuration)

On the Android device/emulator:

  1. Settings

  2. Wi-Fi

  3. Long-press network → Modify Network

  4. Show Advanced Options

  5. Proxy → Manual

  6. Proxy hostname = your PC IP

  7. Proxy port = 8080

Test connectivity:

adb shell ping <your_PC_IP>

If ping works, proxy routing is correct.

Open browser on device → visit:

http://burp

Download certificate (for user-level install)
OR use the exported cacert.der (for system-level install).

Installing Burp Certificate (User-Level Install)

For non-rooted devices:

  1. Copy cacert.der to device:

adb push cacert.der /sdcard/

  1. Settings → Security → Install from storage

  2. Install the certificate

Note:
Android 7+ does NOT trust user CA certs for apps by default.
Apps using network_security_config will ignore it.
This is why system-level installation is required for pentesting.

Installing Burp Certificate as SYSTEM CA (Rooted Devices or Emulators)

This bypasses Android’s restriction and allows full HTTPS interception.

Push certificate:

adb push cacert.der /sdcard/

Remount system as read-write:

adb root
adb remount

Move certificate into system CA directory:

adb shell
su
mv /sdcard/cacert.der /system/etc/security/cacerts/9a5ba575.0
chmod 644 /system/etc/security/cacerts/9a5ba575.0

Reboot:

adb reboot

Now all apps trust the Burp certificate including hardened ones.

Configuring Burp for Android TLS Interception

In Burp:

Proxy → Options → TLS Certificates

Enable:

  • “Generate a CA certificate per hostname”

  • “Use custom certificate store if required”

  • “Disable server name verification (optional for testing)”

This ensures smoother interception and fewer breakages.

Verifying HTTPS Interception

In Burp (Proxy → Intercept), turn interception ON.

On device open:

https://example.com

If Burp shows the request → HTTPS interception works.

If not:

  • CA not installed system-wide

  • App uses SSL pinning

  • App uses certificate transparency

  • App uses native SSL libraries

In those cases, Frida is required.

Bypassing SSL Pinning (Frida Method)

Push Frida server to device:

adb push frida-server /data/local/tmp/
adb shell "chmod 755 /data/local/tmp/frida-server"

Start Frida:

adb shell "/data/local/tmp/frida-server &"

Run SSL bypass:

frida -U -f com.app -l ssl-bypass.js --no-pause

Most common script contains hooks for:

  • OkHttp

  • WebView

  • TrustManager

  • X509TrustManager

  • OkHTTP3

  • Apache HttpClient

  • Cronet

  • Native pinning

Once applied → app becomes fully interceptable.

Bypassing SSL Pinning (Magisk / Zygisk)

Install modules:

  • JustTrustMe

  • TrustMeAlready

  • 8tory SSL Unpinning

  • Universal SafetyNet Fix (for root detection side effects)

Enable modules in LSPosed / Zygisk and reboot.

Now apps relying on common pinning frameworks bypass automatically.

Intercepting Traffic from Apps That Ignore Proxy Settings

Some apps hardcode network routes and bypass Wi-Fi proxy.

Use Burp invisible proxy mode:

Proxy → Options → Proxy Listeners → “Support invisible proxying”

Then force routing with iptables (rooted devices):

adb shell
su
iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to <host_ip>:8080

This forces all traffic through Burp.

Intercepting Traffic Over Mobile Data

Mobile data ignores proxies. Solutions:

Method 1: Redirect all traffic with iptables (root required)

iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to <PC_IP>:8080

Method 2: Use Wi-Fi hotspot + proxy auto-config

Create hotspot and assign proxy via PAC file.

Handling Apps Using Network Security Config

Decode APK:

apktool d app.apk -o decoded_app

Check:

grep -R "networkSecurityConfig" -n decoded_app/AndroidManifest.xml

Inspect config:

cat decoded_app/res/xml/network_security_config.xml

Look for:

  • <trust-anchors>

  • <certificates src="system"/> ← works with system CA

  • <certificates src="user"/> ← works with user CA

  • <pin-set> ← SSL pinning on Java layer

Use Frida or Magisk for pinning bypass.

Testing WebView Traffic Interception

Open WebView traffic:

frida -U -f com.app -l webview-hook.js --no-pause

WebViews often bypass proxy or use custom cert validation.

Debugging Interception Issues

If HTTP works but HTTPS fails:

  • System CA not installed

  • App uses pinned certificates

If no traffic appears at all:

  • Wrong proxy IP

  • App uses direct sockets

  • VPN active

  • DNS over HTTPS in app

If Burp breaks or app crashes:

Enable SSL passthrough:

Burp → Proxy → Options →
Add domain under “SSL Pass Through”.

Testing Complete Interception After Setup

Run:

curl --proxy <PC_IP>:8080 https://httpbin.org/get

From Android:

Install Termux → run:

curl --proxy http://<pc_ip>:8080 https://postman-echo.com/get

If intercepted → setup is correct.

Full Burp Interception Workflow

  1. Configure Burp listener

  2. Export Burp certificate

  3. Set Android proxy

  4. Install certificate

  5. (Rooted) Move certificate to system store

  6. Start Frida server

  7. Apply SSL bypass scripts

  8. Launch app → capture HTTPS traffic

  9. Modify requests → observe responses

  10. Combine with ADB and APK reverse engineering for exploit chains

This ensures 100% traffic visibility for any Android app.

Intel Dump

  • Configure Burp listener on all interfaces

  • Set device proxy to PC IP + 8080

  • Install CA cert (system-level for Android 7+)

  • Bypass SSL pinning using Frida or Magisk

  • Use iptables for apps bypassing proxy

  • Decode network_security_config to identify restrictions

  • Test traffic with curl inside Android

  • Intercept WebView, OKHTTP, native code, and pinned connections

  • Solve HTTPS interception failures using certificate + TLS settings

HOME LEARN COMMUNITY DASHBOARD