- Burp suite
- openssl (optional)
Step 1 - Setting up Burp Suite
Go to the proxy tab then the options tab. Add a new listener on all interfaces on whatever port you'd like. Here, we will choose 8080:
Click import/export CA certificate --> Export --> Certificate in DER format --> Choose a path and name it anything with a .cer extension --> Next
We will use the name
Burp_cert.cer as an example for this tutorial.
Step 2 - Upload and install the Burp Suite Certificate
Method 1 - Install as a user certificate
- Start your device.
- Drag'n drop the Burp_cert.cer file you generated to the device display.
- Go to Android Settings and search install a certificate. In the results, click Install certificates from SD Card and select CA certificate. Click install anyway to bypass the warning.
- Navigate to
/sdcard/Downloadand click on Burp_cert.cer.
- If you are using Android 9 or below, you may be requested to set a secure lock screen. Comply and set a lock:
To verify whether the certificate is properly installed, go to Android settings, search and click Trusted credentials. You should see the certificate in the USER tab:
Method 2 - Install as a system-level trusted CA
This method is for advanced users and may break the Android system: it should only be considered as last resort if Method 1 fail. Use at your own risks!
1. Convert the certificate
First, we need to convert Burp certificate into PEM format. Use
openssl to convert DER to PEM, then output the
openssl x509 -inform DER -in Burp_cert.cer -out Burp_cert.pem openssl x509 -inform PEM -subject_hash_old -in Burp_cert.pem |head -1
Then, rename the file with the output hash from the last command. For example, if the hash is
9a5ba575, rename the file as
mv Burp_cert.pem 9a5ba575.0
2. Install the certificate
- Upload and install the .0 certificate:
# remount the system partition
# Upload the certificate
adb push <cert>.0 /system/etc/security/cacerts/
# Change the certificate permissions
adb shell chmod 664 /system/etc/security/cacerts/<cert>.0
For example, with the
adb push 9a5ba575.0 /system/etc/security/cacerts/
adb shell chmod 664 /system/etc/security/cacerts/9a5ba575.0
- Reboot the device.
After the device reboots, browsing to Settings -> Security -> Trusted Credentials should show the new “Portswigger CA” as a system trusted CA:
Step 3 - Set Android global proxy to Burp Suite proxy
Though it is possible to use Android settings, we recommend using ADB command line tool which is more reliable and easier to handle.
If you do not have, or wish to install, Android SDK tools, you can use Genymotion ADB built-in tool. Please refer to Genymotion Desktop user guide for more information.
To set the global proxy, use the following adb command:
adb shell settings put global http_proxy <burp_proxy_ip>:<burp_listening_port>
<burp_proxy_ip> is the IP of the host machine where Burp Suite is running,
<burp_listening_port> is Burp Suite Listening port.
For example, if Burp is running on a host machine with IP 192.168.1.84 and is listening to port 8080, then the command should look like:
adb shell settings put global http_proxy 192.168.1.84:8080
From then, Internet traffic should be redirected to Burp Suite.
Though this setting is global, applications may have their own proxy settings which cannot be controlled this way. The only solution in this case is to use a third party Android application, such as ProxyDroid, to redirect all trafic from the device to Burp Suite proxy.
Step 4 - Disable global proxy
If the proxy is still set after stopping the device, Wifi may be disabled the next time you start the device. To avoid this, make sure to unset the global proxy before stopping the device.
Use the following ADB command to unset the proxy:
adb shell settings put global http_proxy :0
Genymotion Desktop and Burp Suite run on the same host
You can use the IP address
10.0.3.2 from the virtual device to reach Burp Suite: IP
10.0.3.2 is a VirtualBox alias to your host loopback interface (i.e., 127.0.0.1 on your host machine).
So, if Burp Suite listens to
*:8080, it can be accessed from the virtual device using the IP
10.0.3.2:8080. All you need is to set Android global proxy to this address and port:
adb shell settings put global http_proxy 10.0.3.2:8080
Unlike VirtualBox, there is no loopback interface when using QEMU. However, it is possible to use
adb reverse to bind a virtual device local port to a host local port.
First set Android global proxy to localhost:3333 (or any other available port):
adb shell settings put global http_proxy localhost:3333
If Burp Suite listens to *:8080, we then need to use:
adb reverse tcp:3333 tcp:8080
In this example, this will bind the virtual device local TCP port 3333 to your host machine local TCP port 8080.
Script with gmtool to automate the process
The following scripts require gmtool advanced commands which are only available with a paying license.
You can use scripts to combine gmtool and adb to automatically set the proxy and start a device, and unset the proxy while stopping the device. See examples below.
Start script example
## Start your device with gmtool.
## We assume Genymotion is installed in your Home folder.
$home/genymotion/gmtool admin start "your_device_name"
## Set Burp Suite proxy as global proxy to the device.
## We use proxy IP 10.0.3.2 and port 8080. Replace with your own settings.
## We use Genymotion built-in ADB.
$home/genymotion/tools/adb shell settings put global http_proxy 10.0.3.2:8080
Batch script (Windows):
REM Start your device with gmtool.
REM We assume Genymotion is installed in "C:\Program Files".
C:\Program Files\Genymobile\Genymotion\gmtool.exe admin start "your_device_name"
REM Set Burp Suite proxy.
REM We use proxy IP 10.0.3.2 and port 8080. Replace with your own settings.
REM We use Genymotion built-in ADB
C:\Program Files\Genymobile\Genymotion\tools\adb shell settings put global http_proxy 10.0.3.2:8080
Stop script example
## Remove the global proxy settings.
$home/genymotion/tools/adb shell settings put global http_proxy :0
## Stop the running device.
$home/genymotion/gmtool admin stop "your_device_name"
REM Remove the global proxy settings.
C:\Program Files\Genymobile\Genymotion\tools\adb shell settings put global http_proxy :0
REM Stop the running device.
C:\Program Files\Genymobile\Genymotion\gmtool.exe admin stop "your_device_name"