Intercepting Mobile Traffic with Burp Suite — A Practical Guide

 

. Goal & Requirements

Goal

Use Burp Suite to intercept and inspect network traffic between a mobile app and its backend so you can analyze API requests/responses and find security issues (insecure transport, sensitive data leakage, auth flaws, etc.).

Requirements / Prerequisites

  • Burp Suite (Community or Professional).

  • Test devices: Android device/emulator and/or iOS device/simulator (physical device preferred).

  • Same Wi-Fi or USB cable (ADB) connection between device and Burp machine.

  • Basic knowledge of ADB (Android) and Frida (runtime hooking).

  • Frida + frida-server installed for runtime bypass techniques.

  • Optional: objection, apktool, jadx for static changes and binary analysis.

  • Burp CA certificate exported for installation on test devices.

2. Lab Setup — Repeatable & Isolated

Why isolation matters

Keep tests reproducible and prevent accidental leaks or interference with production networks. Use a dedicated VM or a separate laptop for Burp.

Recommended setup

  • Dedicated VM or laptop running Burp (preferably air-gapped or on a controlled network).

  • Android: emulator (Android Studio) or physical device.

  • iOS: test device (preferred) or simulator.

  • Install Frida & frida-server on devices if you plan to bypass pinning at runtime.

3. Export & Install Burp CA

Export the certificate

Burp → Proxy → Options → Import / export CA certificate → Export in DER or PEM.

Install on Android

  • User store: works for many apps, but Android 7+ apps that opt-in to stricter network config may ignore user CAs.

  • System store: requires root (install CA into system trust store if needed).

Install on iOS

  • Host certificate on a reachable location (or email it). Install profile, then enable trust: Settings → General → About → Certificate Trust Settings → Enable full trust.

4. Configure Burp Suite

Basic proxy listener

  • Proxy → Options → Add listener on 0.0.0.0:8080 (or specific interface/IP).

Intercept toggle

  • Proxy → Intercept → Toggle Intercept On/Off to capture requests live.

SSL/TLS

  • Burp supports modern TLS versions; defaults usually suffice. Adjust SSL settings in Options only if necessary.

Other settings

  • Upstream proxy chaining & client certificates: configure in Options when required.

  • Turn off enforced client certificate requirement unless testing mutual TLS.

5. Connecting Android Devices

Option A — Same Wi-Fi (simple)

  1. Find Burp machine IP (e.g., 192.168.1.100).

  2. On Android: Wi-Fi → Long-press network → Modify network → Advanced options → Proxy → Manual → Host: 192.168.1.100, Port: 8080.

Option B — ADB port forwarding (no Wi-Fi)

  • Example:

adb reverse tcp:8080 tcp:8080

(Useful when the app connects to localhost:8080 on device or to avoid Wi-Fi configuration.)

Notes

  • Android 7+ may ignore user CAs for certain apps. If CA install isn’t enough, use Frida or system CA (root) methods.

6. Connecting iOS Devices

Wi-Fi proxy

  • iOS Wi-Fi → Info (i) → Configure Proxy → Manual → Server: Burp IP, Port: 8080.

CA trust

  • Install Burp certificate → Settings → General → About → Certificate Trust Settings → Enable full trust.

iOS nuances

  • Apps using ATS or custom SecTrust evaluation may still reject user-installed CA — Frida or dynamic library injection is typically required to bypass pinning.

7. First Capture — Confirm Interception

  1. Launch the app.

  2. With Burp Intercept ON, confirm requests appear under Proxy → Intercept.

  3. If TLS errors / failures occur:

    • Confirm Burp CA installed & trusted.

    • Verify proxy settings.

    • Investigate whether the app uses Network Security Config (Android) or certificate pinning (iOS).

8. SSL Pinning — Common Bypass Strategies (Lab-safe)

Choice of strategy depends on platform, framework and protections used by the app.

Strategy A — Network Security Config (Android)

If the app uses network_security_config.xml, you can modify it during APK rebuild to allow user CAs.

Quick steps

apktool d app.apk -o app_src
# edit res/xml/network_security_config.xml to include user certs
apktool b app_src
# sign the rebuilt APK (test signing)

Note: Only works if the app respects network config and doesn’t have stronger pinning.

Strategy B — Frida (runtime hooking) — Android & iOS

Frida hooks runtime checks (no permanent binary change). Often the fastest, most flexible approach.

Android Frida example (bypass-ssl.js):

Java.perform(function () {
  try {
    var CertificatePinner = Java.use('okhttp3.CertificatePinner');
    CertificatePinner.check.overload('java.lang.String','java.util.List').implementation = function (hostname, peerCertificates) {
      console.log('[+] Bypassed okhttp3.CertificatePinner for ' + hostname);
      return;
    };
  } catch (e) { console.log('okhttp3 not found: ' + e) }

  try {
    var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
    X509TrustManager.checkServerTrusted.implementation = function (chain, authType) {
      console.log('[+] X509TrustManager.checkServerTrusted bypassed');
      return;
    };
  } catch (e) { console.log('X509TrustManager hook failed: ' + e) }
});

Run:

frida -U -f com.example.app -l bypass-ssl.js --no-pause

iOS Frida hint
Hook SecTrustEvaluate or equivalent native APIs to force a successful trust result. Exact implementation depends on iOS version and symbols.

Strategy C — Objection (Frida wrapper)

objection --gadget com.example.app explore
# then within objection:
android sslpinning disable
# or
ios sslpinning disable

Strategy D — Binary patching (static)

Decompile (jadx/apktool), locate pinning code or native hooks, patch to remove checks, re-sign. Persistent but riskier (breaks signatures & may trigger integrity checks).

Strategy E — Root/Jailbreak + System CA

Install Burp CA into the system trust store on rooted Android or use jailbreak tools on iOS. Historically tools like SSLKillSwitch existed for iOS (modern iOS may be harder).

9. Common Pinning Targets & Where to Hook

10. Inspecting API Calls in Burp

What to inspect

  • Request URL & method (GET, POST, PUT, DELETE).

  • Request headers: Authorization, cookies, Content-Type.

  • Request body: JSON, form data, multipart, binary.

  • Response status codes, headers, and body.

  • Look for tokens, PII, API keys in bodies or query strings.

Useful Burp features

  • HTTP history — full request log.

  • Repeater — replay and modify requests manually.

  • Intruder — automated payloads (use responsibly with throttling).

  • Decoder / Comparer — analyze encodings and diffs.

  • Pretty-print JSON in response viewer.

Tests to try

  • Modify IDs (look for IDOR).

  • Tamper tokens or JWT claims.

  • Replay and change user_id or role fields.

  • Test endpoints without auth or with expired tokens.

11. Advanced Analysis Tips

  • Compare mobile vs web client behaviour (often the same endpoints behave differently).

  • Inspect WebSockets (Burp Professional supports frames).

  • If the app encrypts payloads at application layer, reverse client crypto to decrypt.

  • Watch for rate limiting and throttling; test responsibly.

  • When payloads are compressed/binary, use hex view or export for offline analysis.

12. Troubleshooting — Common Pitfalls

  • Still failing after installing CA: App probably uses pinning or only trusts system CA. Try Frida or system CA with root.

  • Frida won’t attach: Check frida-server version matches Frida client, run frida-server as root, ensure correct process privileges.

  • Anti-Frida protections: Some apps detect Frida; apply community bypass scripts or emulate expected environment.

  • Burp TLS errors: Verify SNI, TLS version/cipher compatibility, and that Burp listener uses proper IP.

  • Native pinning: May require native hooks or .so patching.

13. When Pinning Bypass Fails — Next Steps

  1. Use jadx / apktool / strings to locate pinning logic and certificates.

  2. Inspect native libraries (.so files) for pinning in C/C++ code.

  3. Hook native JNI boundary or patch native functions.

  4. Consider more advanced runtime instrumentation or patch + re-sign if legal and appropriate for lab testing.

14. Post-Intercept Analysis — What to Look For

  • Unencrypted sensitive data (passwords, tokens, PII).

  • Broken authorization (endpoints accessible without proper tokens).

  • Exposed secrets (hardcoded API keys).

  • Insecure endpoints (use of HTTP for sensitive operations).

  • Poor token handling (long-lived tokens, insecure refresh flows).

Deliverable evidence: saved requests, screenshots, and step-by-step reproduction steps.

15. Remediation Recommendations (Developer-facing)

16. Quick Command & Snippet Cheat-Sheet

Burp CA export

BurpProxyOptionsImport / export CA certificateExport (DER / PEM)

ADB reverse

adb reverse tcp:8080 tcp:8080

Start frida-server on device

# push frida-server to device, chmod, then run as root
adb push frida-server /data/local/tmp/
adb shell "chmod +x /data/local/tmp/frida-server && /data/local/tmp/frida-server &"

Launch app with Frida

frida -U -f com.example.app -l bypass-ssl.js --no-pause

Objection

objection --gadget com.example.app explore
# in objection console:
android sslpinning disable

APK unpack / rebuild

apktool d app.apk -o app_src
# edit files
apktool b app_src
# sign with apksigner

17. Example End-to-End Workflow (Concise)

  1. Setup Burp listener and export CA.

  2. Configure device proxy → Install & trust Burp CA.

  3. Attempt normal capture; if traffic appears, analyze in Burp.

  4. If TLS blocked, launch frida-server and run Frida bypass script (or use Objection).

  5. Capture the decrypted requests/responses in Burp.

  6. Document findings, collect evidence, and prepare remediation guidance.

18. Useful Tools & Resources (Self-Study)

  • Frida — dynamic instrumentation toolkit.

  • Objection — Frida-based runtime mobile exploration.

  • apktool / jadx — static Android analysis.

  • Burp Suite — proxy, repeater, intruder, history.

  • adb — Android device bridge.

  • iOS tooling — Frida + jailbreak tools for deeper instrumentation.

19. Closing Notes & Offer

Intercepting mobile traffic with Burp Suite is straightforward once devices trust your CA — the complexity is in bypassing modern pinning and protections. In lab engagements you’ll typically use a combination of Frida runtime hooks, static patching, and system CA tricks (root/jailbreak) to succeed.

If you want, I can immediately produce one of the following (pick one and I’ll write it here):

  • A one-page lab checklist (printable).

  • A polished Frida script set tailored to Android apps using OkHttp / TrustManager.

  • A report template for submitting findings to a dev team.


Comments

Post a Comment

Popular posts from this blog

Why You Should Make Cybersecurity Your Number One Priority in 2025

Image
Let’s be honest: cybersecurity isn’t just the job of the IT department anymore. By 2025, every business, big or small, will have to deal with this issue in order to stay in business. If you're a business owner and still treating it like an afterthought, you're basically leaving the front door of your store unlocked at night and hoping no one sees it. Sadly, the truth is different: attackers do notice, and when they do, the damage can be huge. We’ve seen it happen in many different fields. Cyberattacks have brought down startups, mid-sized businesses, and even big companies around the world. The money loss is often just the beginning of the problems. The loss of trust, broken customer relationships, and damage to the business's reputation that can take years to fix—if the business survives at all—are what really hurt. The good news? Cybersecurity doesn’t have to be this scary, hard problem that's always on your mind. When you use it wisely, it can be your best defence ...
Read more

Safeguarding Your Digital Future: The Top 10 Cybersecurity Companies in India

Image
  The Need for More Cybersecurity in India In the digital age, cyberattacks happen more often than ever. Experts say that by 2025, cybercrime will cost the world more than $10.5 trillion a year. India is no different; its tech scene is growing quickly. As more and more businesses move to digital platforms, the risk of cyberattacks like ransomware, data breaches, and phishing schemes is growing. This blog post will talk about the ten best cybersecurity companies in India that are doing everything they can to protect businesses from the growing number of digital threats. We’ll also talk about Digital Defense , a new company that wants to make cybersecurity solutions that are easy to use, work well, and fit each person’s needs. They even have a special offer for people who are new to the site. 1. Digital Defense: A New Company with Big Plans Overview : Digital Defense is still new, but it has already built a reputation as a cutting-edge cybersecurity company that works with small ...
Read more

Top Personal Cybersecurity Measures to Take When Trading in Crypto

Image
  Opening: Crypto gives freedom — but also responsibility When I first started watching the crypto space closely, what struck me was how different it felt from traditional finance . There’s a freedom here — no banks, no gatekeepers — but that freedom comes with a direct cost: you are responsible . If something goes wrong, there’s no bank to call and no simple refund process. That’s why personal cybersecurity matters more in crypto than almost anywhere else. Why irreversible transactions change everything Think about sending money by mistake. In a bank, you can often reverse or dispute a transfer. In crypto, once a transaction is confirmed on-chain, it’s usually final. That permanence is powerful — and terrifying if you make a mistake or fall victim to a scam. I’ve seen people lose access to funds because of a single click, and recovery options are, most of the time, non-existent. So prevention isn’t optional — it’s essential. Wallets: pick them like you’d pick a safe Your ...
Read more