📱

Intercepting Android Traffic with Burp Suite

Oct 31, 2024

Intercepting Android Application Traffic with Burp Suite

Introduction

  • Presenter: Ipsek
  • Topic: Intercepting Android app traffic using Burp Suite
  • Context: Previous experience with old Android OS; now focusing on modern versions.
  • Goal: Intercept traffic from Android applications (specifically Instagram) and control a device (Wazen) remotely.

Overview of Changes in Android OS

  • Starting with Android Nougat:
    • Certificate authority installation changed.
    • Must install CA in the system store not just user space.

Tools and Software Installation

  1. Genymotion
    • Alternative to Android Studio for running an Android VM.
    • Install using wget and set up with VirtualBox.
  2. VirtualBox and ADB
    • Install required packages using sudo apt install VirtualBox ADB.

VM Configuration

  • Memory: Increased to 8 GB
  • Processors: Allocated 4 cores
  • Ensure virtualization settings are enabled in VirtualBox.

Setting Up Genymotion

  1. Launch Genymotion and log in with a free license.
  2. Add a new device (Pixel 3 SL) and install it.
  3. Configure the Burp Suite certificate.
    • Use curl localhost:8080/cert to get the Burp certificate.
    • Convert to PEM format using OpenSSL: openssl x509 -inform der -in cert.der -out burp.pem
    • Rename the certificate according to MD5 hash of the subject.

Install and Configure Burp Suite Certificate

  • Push the certificate to the Android device.
    • Use ADB to copy it to the system CA cert directory.
    • Remount filesystem as read-write using: adb shell su mount -o remount,rw /
  • Restart the device to load the certificate.

Setting Up Proxy

  • Configure the proxy settings in Android.
  • Use ADB command to set the global HTTP proxy: adb shell settings put global http_proxy <IP>:8080
  • Ensure Burp Suite is intercepting traffic.

Installing Applications

  • Install OpenGApps to get Play Store if not available.
  • Use alias commands for ADB proxy settings to simplify commands.

Intercepting Traffic from Applications

  1. Install the desired application (e.g., Wazen).
  2. Verify interception of traffic.
  3. Attempt to intercept Instagram traffic.

Handling Certificate Pinning with Frida

  • Instagram uses certificate pinning to prevent interception.
  • Install Frida to bypass this:
    1. Local installation: pipx install frida-tools
    2. Download Frida server from GitHub releases.
    3. Push to device using ADB and make executable.
  • Use Frida to hook into the Instagram app and bypass SSL verification.

Running Frida Script

  • Execute Frida script to bypass SSL pinning: frida -U -l <script_name.js> -n Instagram
  • Check if interception works after setting proxy again.

Conclusion

  • Successfully intercepted Instagram login request.
  • Final remarks were on the complexity of handling SSL pinning.
  • Encouragement to try the methods shown in the video.

Full transcript