on
Setting up Burpsuite for Android Pentesting
Everyone knows that when it comes to penetration testing, Burpsuite by PortSwigger is our best friend. While there are tons of tutorials out there that guides one through the process of configuring their go-to browser to play well with Burpsuite, what about mobile applications? How does one get Burpsuite to intercept requests from an Android APK of their choosing?
As someone new to mobile audits, this was a question that stumped me too. So here’s a quick and dirty guide on how to set up Burpsuite for mobile penetration testing purposes!
Step 1: Install Prerequisite Tools
-
Install Android Studios from the official website
If you are using ZSH as your preferred terminal, make sure that
~/.zshrcis updated with the necessary environment variables# Set $PATH variable to zsh profile vim .zshrc export ANDROID_HOME=$HOME/Library/Android/sdk export PATH=$PATH:$ANDROID_HOME/emulator export PATH=$PATH:$ANDROID_HOME/platform-tools export PATH=$PATH:$ANDROID_HOME/tools export PATH=$PATH:$ANDROID_HOME/tools/bin export PATH=$PATH:$ANDROID_HOME/build-tools/31.0.0 # Update profile without exiting from the terminal source .zshrcIn Android Studios, create the following virtual devices:
Name Purpose Specification Playstorew Google Play, to download APK Nexus 5 API 29, Android 10.0 with Google Play, x86 Rootedw/o Google Play, a rooted environment Nexus 5 API 23, Android 6.0, x86 -
Install
jadx,apktoolandobjectionvia Homebrew# Install jadx and apktool via Homebrew brew install jadx brew install apktool # Install objection via Python package manager pip3 install frida-tools pip3 install objection
Step 2: Configure Android Emulator and Burpsuite
-
At
rootedemulator, click on the 3 dots to access the emulator settings.Navigate to
Settings > Proxy > Manual Proxy Configurationand input the following:Hostname: 127.0.0.1
Port number: 8082 -
At Burpsuite, under
Proxy > Options > Proxy Listener > Add > Binding, add the following:Bind to port: 8082
Bind to address: All interfaces -
At Brupsuite, under
Proxy > Options > Proxy Listener > Export CA certificateSelect
Certificate in DER format
Export file asBurpsuite.CER -
Drag and drop
Brupsuite.CERintorootedemulator and install it underSettings > Credentials Storage > Install from SD CardCertificate name: Burpsuite
Certificate use: VPN and AppsCheck if traffic from browser within
rootedemulator is intercepted by Burpsuite, if yes, configuration is done correctly 🙌
Step 3: Install Frida into rooted Emulator
-
Install
frida-serverfrom official GitHub release pageAs the
rootedemulator isx86architecture (as confirmed viaadb shell getprop ro.product.cpu.abi),frida-server-15.1.12-android-x86.xzthe ideal version to download# Download and install Frida Server to emulator (Rooted) unxz frida-server-15.1.12-android-x86.xz adb push frida-server-15.1.12-android-x86 /data/local/tmp/ adb shell "chmod 755 /data/local/tmp/frida-server-15.1.12-android-x86" adb shell "/data/local/tmp/frida-server-15.1.12-android-x86 &"Verify that Frida is correctly interacting with
rootedemulator.adb devices -l frida-ps -UaiIf
frida-psreturns a list of packages with similar naming conventions ascom.android.x, you’re on the right track 🎉
Step 4: Download and Install APK
-
Use
Playstoreemulator to download chosen APK as per normal -
Extract APK to local computer via
adb pull# Ensure that emulator (Playstore) is running adb shell "pm list packages | grep <APK-NAME>" adb shell "pm path <APK-PACKAGE-NAME>" adb pull <APK-PACKAGE-PATH> pulled.apk -
Patch APK with
objectionand start therootedemulator# If there's error during this process, you'll have to manually patch the APK # See https://koz.io/using-frida-on-android-without-root/ objection patchapk --source pulled.apk -
Install APK into
rootedemulator and disable SSL pinning viaobjection# Ensure that emulator (Rooted) is running adb install patched.apk frida-ps -Uai | grep <APK-NAME> objection explore --gadget "<APK-NAME>" explore android sslpinning disableYou should now be able to see APK’s traffic intercepted at Burpsuite 😎