- Burp suite
- Android SDK platform-tools (adb)
- gmsaas tool (https://docs.genymotion.com/gmsaas/1.x/)
- openssl (optional)
Step 1 - Setting up Burp Suite
Go to the proxy tab then the options tab. Add a new listener on all interfaces on whatever port you'd like, we will choose 8080:
Click import/export CA certificate --> Export --> Certificate in DER format --> Choose a path and name it anything with a .cer extension --> Next
We will use the name
Burp_cert.cer as an example for this tutorial.
Step 2 - Install the certificate to the virtual device
Method 1 - Install the certificate as a User CA certificate
- Spin up your device.
- Drag'n drop the Burtp_cert.cer to the device display.
- Go to Android Settings and search install a certificate. In the results, click Install certificates from SD Card and select CA certificate. Click install anyway to bypass the warning.
- Navigate to
/sdcard/Downloadand click on Burp_cert.cer.
- If you are using Android 9 or below, you may be requested to set a secure lock screen. Comply and set a lock:
To verify whether the certificate is properly installed, go to Android settings, search and click Trusted credentials. You should see the certificate in the USER tab:
Method 2 - Install as a system-level trusted CA
This method is a lot more complex and may break the Android system: it should only be considered as last resort if Method 1 fail. Use at your own risks!
1. Convert the certificate
First, we need to convert Burp certificate into PEM format. Use
openssl to convert DER to PEM, then output the
openssl x509 -inform DER -in Burp_cert.cer -out Burp_cert.pem openssl x509 -inform PEM -subject_hash_old -in Burp_cert.pem |head -1
Then, rename the file with the output hash from the last command. For example, if the hash is
9a5ba575, rename the file as
mv Burp_cert.pem 9a5ba575.0
2. Install the certificate
- Spin up your device and connect it to ADB with gmsaas.
- Upload and install the .0 certificate:
# Remount the system partition
# Upload the certificate
adb push <cert>.0 /system/etc/security/cacerts/
# Change the certificate rights
adb shell chmod 664 /system/etc/security/cacerts/<cert>.0
For example, with the
adb push 9a5ba5750.0 /system/etc/security/cacerts/
adb shell chmod 664 /system/etc/security/cacerts/9a5ba5750.0
- Reboot the device:
After the device reboots, browsing to Settings -> Security -> Trusted Credentials should show the new “Portswigger CA” as a system trusted CA:
Step 3 - Save as a custom recipe
We recommend saving the device as a custom recipe at this point.
Step 4 - Set Android global proxy to Burp Suite proxy
If the global proxy is still set after saving the device as a cutom recipe, or if you save the recipe at this point, Wifi will be unavailable the next time a device is started from this recipe. To avoid this, make sure to unset the global proxy before saving. See "Disable global proxy" section.
- If you haven't already done it, connect the device to ADB with gmsaas.
- Use ADB to set port 3333 but you can use any other port as long as it is available:
adb shell settings put global http_proxy localhost:3333
- Bind Burp proxy to the device proxy configuration with
adb reverse. We setup Burp suite to use port 8080, so we will bind the device pxoxy to this port:
adb reverse tcp:3333 tcp:8080
From there, your instance network should be intercepted by Burp suite.
Step 5 - Disable global proxy
If you need to save the device, make sure to disable the global proxy before:
adb shell settings put global http_proxy :0