Configure Android to intercept basic https requests for apps
HTTPS is basically HTTP over TLS (also called SSL) and HTTP is easy to intercept. In this case, only encryption is our problem. Fortunately for us, this is designed to protect data transfer in client-server connection, which secures users from man-in-the-middle attacks. However, knowing its basic and most popular implementation, it’s easily breakable if we have full access to the device.
What it’s needed:
- Rooted Android device; I strongly recommend an emulator (no worry of brick phone and it is easy to create)
- Burp Suite or other software to intercept connection via proxy
- Method to add certificate to system; In the article, I show the simplest way with an app called Root Certificate Manager
- App to test intercepting connection
Configure Burp Suite
Now it’s time to start Burp Suite. We need to enable listening on all interfaces in its proxy options. It will allow us to connect android device to proxy in local network.
Checking local IP address on the device by the “ipconfig” command on Windows CMD or “ifconfig” on Linux Shell. We can set up proxy settings in the Android device.
In most of android systems, go to “Settings” –> “WiFi Settings” and modify the current network. Change proxy form None to Manual and type IP address as you’ve checked on your computer and if you haven’t changed port to 8080. On other emulators enabling proxy may be different, though.
Now, if we go to the browser on the Android device want to enter a website: e.g.: https://example.com/ we will get a warning about inability to recognize the certificate. If that’s the case, it means everything is configured correctly to this step.
If an app makes HTTPS request in burp, we’ll get warning about failing a TLS connection negotiation. It’s possible that the request will be made correctly, however it’s BurpSuite forwarding the encrypted request, so the HTTP data will be unable to be modified or even viewed.
Install certificate
To fool the application we need to add BurpSuite certificate as system certificate to device.
Export certificate in Burp and upload it to the android device.
Now, using the Root Certificate Manager (an Android app), we can easily add the certificate to the system.
As you can see, the web browser stopped showing us the security warning.
And finally, we can view and modify HTTPS requests.
For example, after getting HTTPS requests, my test app will get and display data of the website https://example.com/ . With Burp, we can see and modify the data received by the app.
Here is adding the match and replace rule data, so the received by app will be changed.