Register now for our upcoming December Secure Code Summit! Register Here
Shopping Cart

No products in the cart.

Genymotion: Proxying App Traffic Through Burp Suite

Genymotion – Proxying Android App Traffic Through Burp Suite

This webcast was originally published on April 7, 2023.

In this video, Cameron from Black Hills Information Security discusses how to proxy traffic through Burp from the Android emulator Genymotion. She demonstrates the setup process from creating a virtual device to intercepting application traffic using advanced network configuration and proxy settings. The tutorial includes exporting and installing certificates on the emulator to enable secure traffic analysis.

  • Setting up a proxy in Burp for Android traffic inspection requires installing and configuring both the emulator and the proxy settings appropriately.
  • Installation of the Burp certificate on the Android device is critical for the proxy to inspect HTTPS traffic, which involves converting the certificate to a suitable format and modifying system settings on the device.
  • Troubleshooting proxy and emulator issues is a part of the setup process, including ensuring the device is rooted for certain operations and restarting the proxy if traffic does not flow as expected.

Highlights

Full Video

Transcript

Cameron Cartier

Howdy, folks. I’m Cameron with Black Hills information security. What we’re talking about today is proxying traffic through burp from the Android emulator Jennymotion.

So we’re going to go all the way from creating the device through looking at application traffic. So m once you have Jennymotion installed, you’re just going to hit the plus I am m going to create another Google Pixel.

And for the Android version you can go up to twelve. I’d select eleven, just because everything seems to work on eleven. For the most part, these should be good.

You can change whatever you want, but the defaults are perfectly acceptable for our purposes. And so then it’ll install and you can just click start.

If the device fails to start, especially if you’re on an older machine, you may have to go into your bio settings and enable virtualization.

But it looks like we’re good here. That came up pretty quickly. Most of the system apps are boring.

So if I want to be able to install apps from, let’s say the Google Play store, I’m going to go over here to this open gapps option, click on it, accept, and then this is going to install all the Google stuff.

All right? And then we’ll have to restart the device. We’ll just do that now. And while that’s happening, let’s set up our proxy in burp. So we’re going to pull up burp.

I’m using the professional version, but all of this will work on Burp suite community as well. You want to go to proxy, click on your proxy settings.

By default it’ll be proxying on localhost 8080. We’re going to add a new proxy and let’s see, so we could bind to the wifi iP, but for now we’re just going to do all interfaces.

In practice, this is typically a bad idea if there’s other people on your network, because that means anyone could put in that host and port a host and port of your device and start using your proxy.

I don’t know why they’d want to, but for now we’re just going to do that. And then let’s say port 8082. That’s a good one.

And press. Ok, accept the warning. I’m going to uncheck the proxy on 8080. We shouldn’t be getting anything through that anyway.

And then once you have that set up, that should be good. Over. While we’re on this screen, we’re going to export the certificate. We’ll have to import this to the device in order to, in order for our device to trust burp to proxy traffic certificate in Dir format, press next, select a place to save it and yep, the folder guardian is going to work.

Press save, press next. And then you should see the certificate was successfully exported. Cool. M then you can x out of that.

All right, so now the Bert proxy is running. Now with a lot of emulators, you’d have to scroll up, go into settings, and then set your proxy under the advanced options.

That is not how we’re going to do it today. We’re actually going to use ADB to proxy traffic from our device to our local machine.

So I guess the first thing we want to do is connect to the device via ADB. So if we run ADB devices, good, we can see we have one device and that is our Google Pixel emulator.

So we can run ADB connect. And then if you just want to check that that’s working, ADB shell should drop you into a device shell.

Cool. And so all of the commands that we’re using will be linked in the video description. Create the proxy local proxy to localhost 3333 that exits without an error.

So we should be good. And then ADB reverse, we’re going from 3333 to tcp.

Whatever our Bert port was. If you forgot, you can just go back into your proxy settings and we see it’s 8082.

All right, well, that appears to have worked. So let’s pull up ferp again and go over to our HTTP history. Let’s search for something.

Let’s say hello world. We see we got some traffic to 302. It’s not exactly what we wanted and nothing’s happening on our emulator.

This is because we have not yet installed the burp certificate on this device, which is needed for any traffic to be encrypted.

So there’s two ways to install trusted certificates on Android. There’s the user store, and then there’s the system store. As of, I think it’s Android.

Eleven apps by default will not trust certificates that are installed in the system in the user store. So we’re going to go straight ahead and install it to the system. To do this, it’s a little bit more of an involved process and the device does need to be, we need to be able to mount the system as writable, which requires root.

That’s okay, because most emulators give you a rooted device by default. Android also expects all certificates to be in a certain format, so we exported the burp certificate in dir format, but Android wants a PEM.

so we’re going to use openssl to convert that. All right? And now in addition to it being in the PEM format, it has to be named with the hash of the file.

So we can also do that using OpensSL. And then piping that through head negative one just gives us the hash value. So the file has to be named exactly that with a zero.

Cool. All right, now that certificate is ready to be put on the device. So the first thing we’re going to do, we’re going to restart ADB as root.

It’s already running as root. And then ADB remount. This remounts the system partition as writable, otherwise we would not be able to write to the system slash whatever you should see remount succeeded.

If you get any other message, this probably is not going to work and we’ll have to do some debugging. But luckily it worked this time. Next we are going to push the certificate to the SD card on the device.

Alright, one file pushed. Now we can do ADB shell and we are going to move it from the SD card to the folder that the Android device expects it to be in.

All right? And then last thing, just like you might do with ssh keys, we are going to change the permissions on that and it should be there.

Cool, cool, cool. All right, we’ll go back to burp and we’ll try our hello world again and it’s still not happy.

See we got a bad request up here at some point. So as the first line of defense usually is, we are going to just restart this device.

All right? Now since we restarted that device, we’re going to have to restart our proxy and go here center.

All right? And suddenly we have some more traffic. I don’t know what that is. Let’s clear it. Yes. And let’s do our hello world again.

Perfect. We have Internet connectivity. Another thing I like to do, click on this enough times until it starts ordering traffic in reverse order.

So that way the newest requests show up on top. Yep. So we’ve got Android, Google ipis, plenty of these 204s are just connectivity checks.

And then we have plenty of traffic going out that we didn’t ask for. But that’s fine. So earlier we installed Openg app. So that means we can go to the Play store and let’s login.

I’m going to do that off screen, but you can still see burp, which tells you exactly how loud Google Play is. That’s cool. And voila.

350 some requests later, we have made it to the Google Play store. All right, so what’s a good app? One I haven’t checked out yet is be real.

Let’s do that one install. I’m m going to clear all of the traffic and open one notification every day.

It sounds real threatening when you put it that way, guys. Okay, so we have a couple of 204s. Why is it doing these things?

Firebase. That’s probably the b real app. This one’s probably the b real app. You can see.

So just a side note, there’s nothing illegal about looking at this traffic. If you just take a nap off the play store and start editing these requests and then sending malicious payloads or otherwise unexpected data, that is bad.

Don’t do that. That can get you in trouble. You get in trouble. I am not responsible for that. Oh, so we see all the things it’s sending, sending our platform data, the device manufacturer.

So this app, for example, knows we’re running on an emulator. And some apps might do things to prevent that. Yep, yep. Interesting things. So not all apps are just going to work.

And that’s because of something called certificate pinning. So if I. Let’s search for Instagram. Just because your device trusts a certificate authority.

In this instance, we installed the burp cert, which tells it Portswigger is a certificate authority and should be trusted to relay SSL and TL’s traffic.

That doesn’t mean that the apps will. So, for example, Instagram will not trust burp to proxy its traffic.

There is something in the code that says, I only want direct connections to some certificate related to Instagram to be allowed. And a good way to detect that is if everything else is working properly.

And then you go to open the app and it tells you something is very, very wrong. There are typically ways to bypass this, but that’s not what we’re talking about today.

So that’s all I’ve got for you. So as far as actually analyzing traffic, that’s going to be for another day and another time. So quick recap. We installed an Android virtual device using the genymotion emulator.

We used openg apps to get access to all the Google things. We set up a proxy through ADB so that all of our device traffic is proxy through BERt.

We exported the BERT certificate, installed it to the Android system store so that apps would trust it, and then we looked at some traffic. So that’s all I’ve got for today.

If you enjoyed this video, give it a thumbs up, subscribe and we will see you next time.