The HackPot : Intercepting Android Applications With Burp Suite

Burp Suite

Burp Suite is a very useful platform for application security analysis. Burp is written in Java and can be run on most platforms, it includes both a free and commercial version. It includes a proxy server that allows you to configure your browser or mobile application for traffic interception.

In this post we will go through the steps for configuring burp to intercept traffic on a mobile device.

Configure Burp Proxy Listener

Once you open Burp - go to the Proxy tab and the Options. Click on the add button and set the 'Bind to port' to 8080. Then select All interfaces.

Configure Mobile Device/ Emulator

In your Android device or emulator go to 'Settings' and Wi-Fi (ensuring that you are connected).

Next hold down on the network button until you see a menu with either 'Forget network' or 'Modify network'.

When you select 'Modify network' the menu below will open , check the 'Show advanced options' checkbox. Change the Proxy settings to 'Manual' and enter the IP address in the Proxy hostname field of the computer that is running burp. In the 'Proxy port' field enter the port that burp is listening on e.g. 8080.

Intercept Traffic

To test that we can intercept the traffic, open up a mobile application and perform an action. In the screenshot below we are logging into the Insecure Bank app.

Before hitting the Login button go to the 'Proxy Intercept' tab in burp and ensure that intercept is on.

Once you submit the request you should see the traffic in the intercept pane.

Installing Burp CA Certificate

In this example the mobile application is sending traffic over HTTP - if the application is using SSL/TLS the you will have to install the burp CA certificate on the device.

On the emulator open a browser and naviagte to http://burp. Then click on CA Certificate to install.