Intercepting Android App Traffic with BurpSuite

IppSec

2 Jul 202322:42

Summary

TLDRIn this video, IPC demonstrates how to intercept Android app traffic using Burp Suite on modern Android devices. He covers the setup of Genymotion as a virtual machine, configuring Burp Suite's certificate, and handling certificate pinning using Frida. IPC also shows how to bypass security measures in apps like Instagram and successfully intercept API traffic. The tutorial provides insights into Android traffic interception, tackling challenges such as SSL certificate installation and manipulation, making it a valuable resource for those interested in app security and network traffic analysis.

Takeaways

😀 Use Burp Suite to intercept traffic from Android apps by configuring a proxy and certificate on a virtualized Android device.
😀 To set up the Android environment, install tools like Jenny Motion, VirtualBox, and ADB on your host machine.
😀 Jenny Motion is preferred over Android Studio for running Android VMs as it offers smoother performance and better compatibility.
😀 You must install Burp Suite's certificate in the system store of the Android VM to trust it for traffic interception.
😀 Remount the system partition as read-write (RW) to push the Burp Suite certificate to the system directory on the Android device.
😀 Use ADB commands to configure a proxy on the Android device, allowing it to route traffic through Burp Suite.
😀 For intercepting traffic, configure Burp Suite to listen on all interfaces and ensure your proxy settings are correct on both the device and Burp Suite.
😀 When dealing with Google Play Store traffic, it's advisable to unset the proxy to avoid slow download speeds.
😀 Install the target Android app (e.g., the ‘Won’ app) to intercept API requests and explore the endpoints for further manipulation or automation.
😀 Instagram employs certificate pinning to prevent traffic interception, which can be bypassed using Frida, a tool for hooking and modifying app behavior in real time.
😀 Frida allows you to disable SSL certificate validation in real-time for apps like Instagram, enabling successful interception of encrypted traffic.

Q & A

What is the purpose of using Burp Suite in this tutorial?
-Burp Suite is used to intercept and analyze the HTTP/S traffic between the Android app and the server. This allows the user to examine the API endpoints, debug, and modify the traffic for various purposes, such as automating tasks or understanding app behavior.
Why does the tutorial focus on using Jenny Motion instead of Android Studio?
-The tutorial favors Jenny Motion because the author finds it more stable and reliable for running Android virtual machines, whereas Android Studio had caused issues in the past. Jenny Motion is simpler and provides a faster setup for Android emulation.
How do you install the Burp Suite certificate on an Android device in this tutorial?
-The Burp Suite certificate is installed by pushing the certificate to the device’s system directory using ADB. The certificate is then added to the device's trusted certificate store by navigating through the security settings in Android.
What problem does the tutorial address regarding Android's certificate handling?
-The tutorial addresses the issue where, after Android 7 (Nougat) and later, users can no longer simply install the certificate authority (CA) in the user space. Instead, the certificate must be installed in the system store, which requires root access or a specific procedure to remount the system partition.
What role does Frida play in this tutorial?
-Frida is used to bypass certificate pinning in Android apps, specifically Instagram in this case. By injecting JavaScript into the app, Frida modifies or hooks functions to bypass SSL certificate validation, allowing traffic interception even in apps that usually block such attempts.
What is certificate pinning, and why is it important in this context?
-Certificate pinning is a security technique that ensures an app only trusts a specific SSL certificate when establishing secure connections. It is important here because apps like Instagram use it to prevent interception of their HTTPS traffic, and bypassing it is necessary to intercept the traffic with tools like Burp Suite.
How do you configure a proxy on the Android VM?
-The proxy is configured using the ADB command `adb shell settings put Global HTTP proxy`, followed by the IP address and port number of the Burp Suite proxy (usually `localhost:8080`). This sets the Android device's proxy to route all HTTP/S traffic through Burp Suite.
Why is it necessary to unset the proxy after intercepting traffic?
-Unsetting the proxy is necessary to stop routing all the traffic through Burp Suite, which could slow down other operations, like using the Google Play Store or downloading apps. It also ensures that the device is no longer intercepting unnecessary traffic.
What issue arises when trying to intercept Instagram's traffic, and how is it solved?
-Instagram uses certificate pinning, which blocks interception by standard methods. This is solved by using Frida to inject scripts into the app that bypass the certificate pinning mechanism and allow the interception of traffic through Burp Suite.
What steps are required to install Frida and use it for bypassing SSL pinning?
-To install Frida, the user must first install the Frida tools on the local workstation using `pip install frida-tools`. Then, Frida’s server binary is downloaded, pushed to the Android device, made executable, and run. Once running, it hooks the SSL certificate verification function to bypass certificate pinning in the app.