This tutorial requires knowledge using your computer’s command line interface (shell) and Burp Suite.
There are various ways to pentest an mobile application. Usually, mobile applications will run on iOS or Android. Unless you have a jailbroken iPhone or a Correlium instance, you will most likely be debugging the app on Android. Now yes, you could also use Charles-Proxy on iOS. But today we will be focusing on setting up Burp Suite with an Android emulator from Android Studio.
You can download almost any mobile apps from APKPure, Aurora Store, or APKMirror. You can drag and drop on your virtual device or sometimes download them straight from the virtual device.
1. Download Android Studio
This seems like an obvious step since we will be using the Android emulators from Android Studio. You can download it from the following link.
2. Create a new virtual device
Once you open Android Studio, you can click on More Actions → Virtual Device Manager.
The idea here is to choose a device that does not have Google PlayStore since, last I know, those devices aren’t rooted. The reason why we want a rooted device is that we need to interact with system-level directories to install the Burp Suite certificate.
I usually choose the Galaxy Nexus with API 32. I then add extra storage so I can install multiple apps on the emulated Android phone.
3. Launching the emulator
Before we launch the emulator, we need to run it using the -writable-system argument, since we need to write on system-level directories.
Find where the Android folder exists in your operating system. If you are on MacOS, go to Library/Android/sdk/emulator on your terminal.
Now run the following command:
./emulator -list-avdsThis will give you a list of your android virtual devices. The output will look something like this:
Once you find your device’s name, you can run the following command:
./emulator -avd Galaxy_Nexus_API_32 -writable-systemYou will notice that it will open your virtual device. Great!
4. Adding Burp Suite certificate on the virtual device
Now for the fun part… Adding the Burp Suite certificate on the device which will allow you to intercept the requests of the mobile application you are testing with Burp Suite.
Android can take .der or .pem certificates. But the catch is the naming convention. As I browsed multiple blogs, I noticed nobody explained this specific naming convention required to install certificates on the Android phone. By doing more research, I found an old commit from ~the people at Google~, explaining that there is a required naming convention for certificates in the /cacerts directory on the system folder. The extensive answer can be found in OpenSSL’s c_rehash manpage.
c_rehash command
This utility is useful as many programs that use OpenSSL require directories to be set up like this in order to find certificates.
To store a certificate in the /cacerts directory on the Android phone, you need to rename it by its hash value followed by a <hash_value>.0. The ‘.0’ as explained below seems to be specific for filenames in the /cacerts directory. You can read the manpage here.
First step:
Download a .der certificate from Burp Suite. You can find the export button in the Proxy tab. I typically name it BurpCert.der. Next comes the certificate naming convention we mentioned above. First, let’s copy the command listed above to retrieve the certificate’s hash.
openssl x509 -inform DER -subject_hash_old -in test.der | head -1The command above is specifying the input file format as a DER and grabbing the certificate’s hash by printing only the first line of the openssl command output.
This should print something like this 9a5ba575.
Second step:
We rename our certificate using the hash value we got in the previous step.
mv BurpCert.der 9a5ba575.0Third step:
Okay, cool. Now we have everything we need to add the certificate on the Android virtual device. Let’s add the certificate on the /sdcard directory on the virtual device as a first step, and then we will move it the the /cacerts directory. First, go to Library/Android/sdk/platform-tools on your terminal.
./adb push path/to/certificate/9a5ba575.0 /sdcard/Fourth step:
Next step is to remount the /system filesystem. If you type ‘df’ in your Android shell, you will see that it shows /system as a filesystem. If a filesystem is read only, you need to re-mount it as read-write. We need to write to it in order to add our certificate in the following path /system/etc/security/cacerts. You don’t have to, but you can change the permission on the certificate to be read only for all, or read-write for the User and read for Groups and Others. I’ve tested both and the certificate works correctly, however I’ve seen most people set the permissions to chmod 644. Then, you can move the certificate from the /sdcard directory to the /cacerts directory:
./adb shell
su
mount -o remount,rw /system
mv /sdcard/9a5ba575.0 /system/etc/security/cacerts/
chmod 444 /system/etc/security/cacerts/9a5ba575.0
rebootNow that you have modified the permissions and added your certificate, you need to reboot the device. At this stage, the certificate should be in the system’s trusted certificates on the virtual device. You can see the certificate by going in Settings → Security → Encryption & Credentials → Trusted Credentials.
Hold your horses! We are not done yet.
5. Configuring the device’s network settings to work with Burp Suite
On your Burp Suite proxy settings, you can leave it to listen on the specific address 127.0.0.1. Some people have suggested to listen on all interfaces, but I have noticed it is not necessary and that way no other network users can use my proxy. I use port 8083, but you can use port 8080 if that is what you have configured.
On the virtual device’s settings, you need to manually configure the proxy by going in the settings, and changing the hostname to 127.0.0.1 and port 8083. We are proxying all the traffic from the virtual device to our machine’s localhost, where we will be listening with Burp Suite for incoming requests.
Now, you can intercept the requests from the mobile application on Burp Suite.
This was a long tutorial but I believe it is important to explain each step and why it is done in that way. It’s easy to copy code and tutorials without really understanding what is going on, but if you really want to learn, you have to understand what you are doing. The tutorials I found were almost all the same, sometimes copy-pasted from each other, not giving any explanation on why things are done a certain way. They also include extra unnecessary steps because they were just copy-pasted from other blogs. The goal of this tutorial was also not to use AI for commands and information since when I spend time doing my projects and research, I take the time to read blogs, man pages, articles since they sometimes contain more information, which can bring you down a rabbit hole. In the end, you learn more and retain information better (at least for me).
Thanks for reading!
Sources:
Change permission on file system: https://askubuntu.com/questions/47538/how-to-make-read-only-file-system-writable
Certificate naming conventions: https://android.googlesource.com/platform/system/ca-certificates/+/refs/heads/master/README.cacerts + man page https://www.manpagez.com/man/1/c_rehash/
ADB doc: https://developer.android.com/tools/adb
pamoutaf 
Leave a comment