Prerequisites
- Burp suite
- openssl (optional)
Step 1 – Setting up Burp Suite
Go to the proxy tab then the options tab. Add a new listener on all interfaces on whatever port you’d like.
Here, we will choose 8080:
- Click import/export CA certificate > Export > Certificate in DER format
- Choose a path and name it anything with a .cer extension
- Click Next
Note
We will use the name Burp_cert.cer
as an example for this tutorial.
Step 2 – Upload and install the Burp Suite Certificate
Method 1 – Install as a user certificate
- Start your device.
- Drag’n drop the Burp_cert.cer file you generated to the device display.
- Go to Android Settings and search install a certificate. In the results, click Install certificates from SD Card and select CA certificate. Click install anyway to bypass the warning.
- Navigate to
/sdcard/Download
and click on Burp_cert.cer. - If you are using Android 9 or below, you may be requested to set a secure lock screen. Comply and set a lock:
To verify whether the certificate is properly installed, go to Android settings, search and click Trusted credentials. You should see the certificate in the USER tab:
Method 2 – Install as a system-level trusted CA
Warning
This method is for advanced users and may break the Android system of the virtual device: it should only be considered as last resort if Method 1 fail. Use at your own risks!
1. Convert the certificate
First, we need to convert Burp certificate into PEM format. Use openssl
to convert DER to PEM:
openssl x509 -inform DER -in Burp_cert.cer -out Burp_cert.pem
and output the subject_hash_old
:
openssl x509 -inform PEM -subject_hash_old -in Burp_cert.pem |head -1
Then, rename the file with the output hash from the last command. For example, if the hash is 9a5ba575
, rename the file as 9a5ba575.0
:
mv Burp_cert.pem 9a5ba575.0
2. Install the certificate
Upload and install the .0 certificate:
# remount the system partition
adb remount
# Upload the certificate
adb push <cert>.0 /system/etc/security/cacerts/
# Change the certificate permissions
adb shell chmod 664 /system/etc/security/cacerts/<cert>.0
For example, with the 9a5ba575.0 certificate:
adb remount
adb push 9a5ba575.0 /system/etc/security/cacerts/
adb shell chmod 664 /system/etc/security/cacerts/9a5ba575.0
Then, reboot the device.
After the device reboots, browsing to Settings -> Security -> Trusted Credentials should show the new “Portswigger CA” as a system trusted CA:
Step 3 – Set Android global proxy to Burp Suite proxy
Though it is possible to use Android settings, we recommend using ADB command line tool which is more reliable and easier to handle.
Note
If you do not have, or wish to install, Android SDK tools, you can use Genymotion ADB built-in tool. Please refer to Genymotion Desktop user guide for more information.
To set the global proxy, use the following adb command:
adb shell settings put global http_proxy <burp_proxy_ip>:<burp_listening_port>
<burp_proxy_ip>
is the IP of the host machine where Burp Suite is running, <burp_listening_port>
is Burp Suite Listening port.
For example, if Burp is running on a host machine with IP 192.168.1.84 and is listening to port 8080, then the command should look like:
adb shell settings put global http_proxy 192.168.1.84:8080
From then, Internet traffic should be redirected to Burp Suite.
Note
Though this setting is global, applications may have their own proxy settings which cannot be controlled this way. The only solution in this case is to use a third party Android application, such as ProxyDroid, to redirect all trafic from the device to Burp Suite proxy.
Disable global proxy
Important
If the proxy is still set after stopping the device, Wifi may be disabled the next time you start the device. To avoid this, make sure to unset the global proxy before stopping the device.
Use the following ADB command to unset the proxy:
adb shell settings put global http_proxy :0
Extras
Genymotion Desktop and Burp Suite run on the same host
With VirtualBox
You can use the IP address 10.0.3.2
from the virtual device to reach Burp Suite: IP 10.0.3.2
is a VirtualBox alias to your host loopback interface (i.e., 127.0.0.1 on your host machine).
So, if Burp Suite listens to *:8080
, it can be accessed from the virtual device using the IP 10.0.3.2:8080
. All you need is to set Android global proxy to this address and port:
adb shell settings put global http_proxy 10.0.3.2:8080
With QEMU
Unlike VirtualBox, there is no loopback interface when using QEMU. However, it is possible to use adb reverse
to bind a virtual device local port to a host local port.
First set Android global proxy to localhost:3333 (or any other available port):
adb shell settings put global http_proxy localhost:3333
If Burp Suite listens to *:8080, we then need to use:
adb reverse tcp:3333 tcp:8080
In this example, this will bind the virtual device local TCP port 3333 to your host machine local TCP port 8080.
Script with gmtool to automate the process
Note
The following scripts require gmtool advanced commands which are only available with a paying license.
You can use scripts to combine gmtool and adb to automatically set the proxy and start a device, and unset the proxy while stopping the device. See examples below.
Start script example
Shell script (Linux, macOS):
#!/bin/bash
## Start your device with gmtool.
## We assume Genymotion is installed in your Home folder.
$home/genymotion/gmtool admin start "your_device_name"
## Set Burp Suite proxy as global proxy to the device.
## We use proxy IP 10.0.3.2 and port 8080. Replace with your own settings.
## We use Genymotion built-in ADB.
$home/genymotion/tools/adb shell settings put global http_proxy 10.0.3.2:8080
Batch script (Windows):
@echo off
REM Start your device with gmtool.
REM We assume Genymotion is installed in "C:\Program Files".
C:\Program Files\Genymobile\Genymotion\gmtool.exe admin start "your_device_name"
REM Set Burp Suite proxy.
REM We use proxy IP 10.0.3.2 and port 8080. Replace with your own settings.
REM We use Genymotion built-in ADB
C:\Program Files\Genymobile\Genymotion\tools\adb shell settings put global http_proxy 10.0.3.2:8080
Stop script example
Shell script (Linux, macOS):
#!/bin/bash
## Remove the global proxy settings.
$home/genymotion/tools/adb shell settings put global http_proxy :0
## Stop the running device.
$home/genymotion/gmtool admin stop "your_device_name"
Batch script (Windows):
@echo off
REM Remove the global proxy settings.
C:\Program Files\Genymobile\Genymotion\tools\adb shell settings put global http_proxy :0
REM Stop the running device.
C:\Program Files\Genymobile\Genymotion\gmtool.exe admin stop "your_device_name"