Intercepting Android Traffic with Burp Suite

Oct 31, 2024

View transcript

Intercepting Android App Traffic using Burp Suite and Frida

Introduction

  • Overview of the session by Ipsek.
  • Focus on newer Android OS versions and how to intercept traffic.
  • Previous experience with older Android OS (Router Space Hack The Box).

Background

  • Certificate Authority Changes:
    • Since Android Nougat, CA must be installed in system store instead of user store.
    • Demonstrate how to disable certificate pinning and intercept Instagram traffic using Frida.
  • Motivation for Intercepting Traffic:
    • Personal project with Wazen device to control a dog door via its app.

Setting Up the Environment

1. Install Genymotion

  • Prefer Genymotion over Android Studio for virtual Android devices.
  • Steps:
    • Download and install Genymotion.
    • Ensure VirtualBox is installed.
    • Configure VM settings (8 GB RAM, 4 processors).

2. Certificate Configuration

  • Burp Suite Certificate:
    • Access Burp's certificate using curl localhost:8080/cert.
    • Convert the certificate to PEM format: 
      openssl x509 -inform der -in cert.der -out burp.pem
    • Rename the certificate using MD5 hash: 
      openssl x509 -inform PEM -subject_hash_old -in burp.pem
  • Push Certificate to Android Device:
    • ADB push command to copy the certificate to system store requires root access.
    • Remount the filesystem as read-write: 
      mount -o remount,rw /
  • Check if the certificate is installed in trusted certificates after reboot.

Configuring Proxy Settings

  • Proxy Setup:
    • Set up Burp Suite as a proxy for the Android device via ADB command: 
      adb shell settings put global http_proxy [IP]:8080
  • Confirming proxy is working by accessing a website (e.g., google.com).

3. Installing Applications

  • Google Play Store Installation:
    • Install OpenGApps to access Google Play Store.
    • Create alias for setting and unsetting proxy to simplify commands.

Intercepting Application Traffic

4. Intercepting Wazen App

  • Confirmed ability to intercept traffic from the Wazen app.

5. Intercepting Instagram Traffic

  • Challenges with Instagram due to SSL pinning and obfuscation.
  • Using Frida:
    • Install Frida to bypass SSL pinning.
    • Steps:
      1. Install Frida-tools using pipx.
      2. Download Frida-server for Android and push it to the device.
      3. Execute Frida-server on the device.
      4. Use a script to hook into Instagram's SSL verification process.
  • After setting proxy and running the script, successfully intercepted Instagram login request.

Conclusion

  • Successfully set up the environment and intercepted traffic from both Wazen and Instagram using Burp Suite and Frida.
  • Encouragement to explore further and keep practicing.

Full transcript