Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Android Mobile Application testing CA Certification issue

Suranga | Last updated: Sep 02, 2018 06:10AM UTC

Hi, I am trying to test a mobile banking application with my android device (5.1.1) and burpsuit 2.0.03beta. 1.) initially what I did was, install Burp CA certification WITHOUT rooting the device. certificate installed under USER in trusted credentials. all the HTTPS traffic can intercept via browser but, mobile banking app gave me an error called "insecured connection detected" and application is not going to open. 2.) after I did root my mobile phone and install Burp CA certificate. certificate installed under SYSTEM in trusted credentials. """"""commands, openssl x509 -inform DER -in cacert.der -out cacert.pem openssl x509 -inform PEM -subject_hash_old -in cacert.pem |head -1 mv cacert.pem <hash>.0 " mv /sdcard/<cert>.0 /system/etc/security/cacerts/ chmod 644 /system/etc/security/cacerts/<cert>.0 """""""" then remove root access from the mobile phone and try to intercept HTTPS traffic via browser, it gave me error "YOUR CONNECTION IS NOT PRIVATE" install burp ca certificate as SYSTEM trusted credentials - https://ibb.co/cdEYhz after installation burp ca certificate as SYSTEM trusted credentials, HTTPS traffic error - https://ibb.co/eM3XaK appreciate your kind support. and online banking mobile application gave me error " insecure connection detected"

Liam, PortSwigger Agent | Last updated: Sep 03, 2018 06:59AM UTC

It’s possible that the native app is not using the CA certificate that you have installed on the device and which is being used by the devices browser. Some native apps use their own certificate trust store, and some implement certificate pinning to only trust specific server-side certificates. In this situation, breaking the SSL tunnel is non-trivial and may entail jailbreaking the device or using some other advanced tools. Usually, we would advise setting up Android with ProxyDroid and FS Cert Installer to push HTTPS App traffic to Burp Suite: Reset burp suite Turn on listen to all interfaces Android Host: Remove all User Certs Stop task and remove data for ProxyDroid and FS Cert installer ( you can just uninstall reinstall ) Put the phone in airplane mode then turn on WIFI In FS Cert put in proxy IP and PORT then click the middle button Add CA and add it under WIFI Cert in the dropdown Then click test chain and it should all be green yes for www.google.com For Proxydroid just put in the IP and port and also tunnel DNS Kill or reinstall any apps before you start to make sure they go through the proxy properly. Please let us know if you need any further assistance.

paulwings | Last updated: Feb 24, 2020 11:36AM UTC