On this blog post I want to go through how to setup your Android phone to send traffic to Burp Suite.
This tutorial will not go through how to connect your phone to be used for developing. Check the tutorial from Android Developer website if you haven't done that before.
The phone you use doesn't need to be rooted, but USB debugging from developer options needs to be set.
You should also know basics of Burp Suite.
I'm using a rooted Pixel 6a
Ubuntu 22.04.3 LTS
Android Platform Tools downloaded
If you are new to adb, I recommend you to get familiar with it first.
Let's just get started then!
Burp Suite is a software security application that is used for security testing of applications. There is a free version available that you can use if you don't have a licence.
This tutorial is not going to go through how to use Burp Suite, so you should first familiarize yourself with the application if you are new to it. There are great tutorials on Portswigger that can help you get started.
Make sure intercept is off.
To interact with
HTTPS traffic, we need to install a CA certificate on our android device.
Go to Proxy tab and choose Proxy settings. Click on
Import/export CA certificate and choose
Certificate in DER format.
Choose a location to save the file to on the next window. Name the file for example
A DER (Distinguished Encoding Rules) file is a digital certificate file that is created and stored in a binary format. It is a binary encoding for the X.509 certificates and private keys. In contrast to PEM (Privacy Enhanced Mail) files, DER files do not contain human-readable plain text statements such as —–BEGIN CERTIFICATE—–.
Using terminal, go to the location where you saved the DER file and convert it to
openssl x509 -inform der -in cert.der -out cert.pem
Connect your phone to the computer using a cable and set the phone to
file transfer mode. Make sure USB debugging is enabled from developer options.
You can check all the connected devices by going to platform-tools folder and by calling:
That command lists the connected devices and shows their id:
List of devices attached
If your device is listed with an id, it means the connection between phone and the computer should be ok.
Next, run the following command:
./adb push /path-to-file/cert.pem /sdcard/Download
This command will push the file to the
Download folder on your phone.
If you don't know the path to a file, you can go to the folder where the file is located and run
pwd in the terminal. This command returns the path to the current folder you are in.
Open Setting on your phone, search for
certificate and go to
Install a certificate. Click on
The phone will show a warning about
Your data won't be private and it will remind you to only install a certificate from an organization you trust. By installing this certificate, you can display requests sent from the phone on Burp Suite application. This means that also some sensitive data could be sent to Burp Suite. You shouldn't use your personal phone whenever you play around with all these tools.
Install anyway and locate the
cert.pem file we copied to the phone.
On the phone go to WiFi and click on the one you are connected to. Use the pencil icon (edit button) and go to Advanced options.
Proxy and choose
localhost to Proxy host and
8080 to Proxy port. Save the settings.
Sometimes you might need to configure port forwarding to get the proxy working. If the proxy doesn't work, you can run the following command:
./adb reverse tcp:8080 tcp:8080
adb reverse is a command that allows you to expose a port on your Android device to a port on your computer. Now when your phone tries to access the port 8080 (the common port for web traffic), your request will be routed to port 8080 of your computer.
Open a browser and test if
https://example.com works. Both of these websites should now be sending traffic to Burp Suite Proxy tab.
I hope this blog post helped you to understand how Burp Suite can be setup to be used on Android!
You can also follow my Instagram @whatminjahacks if you are interested to see more about my days as a Cyber Security consultant and learn more about cyber security with me!