Intercepting Traffic on Android 9 Pie (Emulated) with Burp Suite

This post is a quick and dirty guide on setting up proxy interception on Android 9 Pie (this should also roughly work for 7/8) so that regular app traffic is proxied through Burp for all your hacking needs. The main reason for this being more complex then the ways of old (Android 5/6) is that with Android 7.0 apps no longer trust user certs by default; meaning that the app must be either configured to trust user certs, or the cert must be installed as a root CA.

I will be going into achieving interception via installing a custom root certificate on an emulated device. Please refer to the references for more details on other methods such as recompiling the App, or using Magisk if you need to intercept on a physical phone. Furthermore if you want to intercept on Android 10 refer to the interesting notes section as there are currently a number of problems around this.


Its assumed that you already have adb, Android Emulator, and an emulated android device setup and ready to go for testing, so start up your emulated android device with the following command:

Shell# ./emulator -avd <AVD> -writable-system

Next we need to create our own CA Cert that both Android and Burp will accept. This can be done with the following commands:

Shell# mkdir certs
Shell# cd certs
Shell# wget http://web.mit.edu/crypto/openssl.cnf
Shell# openssl req -x509 -days 730 -nodes -newkey rsa:2048 -outform der -keyout server.key -out ca.der -extensions v3_ca -config openssl.cnf
(For this command the input can be anything you want it to be, just note the Organization Name will be whats shown in the ROOT CA List later on)
Shell# openssl rsa -in server.key -inform pem -out server.key.der -outform der
Shell# openssl pkcs8 -topk8 -in server.key.der -inform der -out server.key.pkcs8.der -outform der -nocrypt
Shell#openssl x509 -inform DER -in ca.der -out ca.pem

At this point we need to now change the name of the resulting ca.pem to its subject_hash_old value due to certificate naming conventions on Android.

Shell# openssl x509 -inform PEM -subject_hash_old -in ca.pem | head -1
Output# (Randomnumber)
Shell# cp ca.pem (Randomnumber).0

With this now named correctly we can copy the certificate over to the device. To do this we need to run a couple of commands to ensure that we have write permissions across the device.

Shell# adb root
Shell# adb remount

Make sure your also running the emulator with the -writable-system flag otherwise the following steps for writing to the system will fail.

Shell# adb push (Randomnumber).0 /data/local/tmp/ 
Shell# adb shell
Android-Shell# cp /data/local/tmp/(Randomnumber).0 /system/etc/security/cacerts/
Android-Shell# chmod 644 /system/etc/security/cacerts/(Randomnumber).0

The certificate should now show up in our trusted root certificates list as shown:

All that is left to do now is to import the previously created certificates into Burp and setup interception. To do go into Burp and import the relevent certificates by going to Proxy > Options > Import / Export CA Certificate > Import -> Certificate and priate key in DER format:

Now lastly restart the emulator with the http-proxy option as shown:

Shell# ./emulator -avd <AVD> -http-proxy http://127.0.0.1:8080 -writable-system

You should now be able to intercept regular traffic going through the device!

I hope this helps, feel free to leave comments with questions if anything is unclear or you run into problems!


References & Other Sources:

Bypassing Network Security Configuration via recompiling app
Intercepting traffic using magisk and burp
MSTG Guide on intercepting traffic


Interesting Notes:

• This form of interception will not work for all applications; for example if the application is built using Flutter (xamarin is another example too) then special more time consuming steps will need to be taken in order to intercept traffic. For more information see the great works of Jeroen Beckers at https://blog.nviso.eu/2019/08/13/intercepting-traffic-from-android-flutter-applications/

• This method of interception will also not work for Android 10 on an emulated device. There are a number of issues surrounding this but a basic run down of these issues is that its not possible to mount a writable system on the Android Studio Emulator at present.

In theory it is possible to use Magisk in order to do the above modifications without needing direct RW access on the emulator; however this is a topic for another blog post or for your own research:
Magisk on Android 10
Magisk Emulator Script
Also note if your using a physical device you can use Magisk as normal to achieve 'write access' on the system and install a certificate as shown above.