Burp Suite User Forum

Login to post

Burp Suite v2023.9.1 + rooted android 7 and 8 certificate unknown

rdinn | Last updated: Aug 14, 2023 04:00PM UTC

Hi Community, I want to see the http requests instagram apk on android is doing. We are part of the Whitehat Instagram / Facebook Developers which can turn off app cert pinning and tls1.3 from the official app. However, Burp is working when device is connected to proxy :8000 (tested with other ports) and is intercepting chrome and websites. But as soon as I open the Instagram app, I always receive a TLS Fatal alert, received certificate_unknown on b-www.facebook.com:443. Is this something from burps side? I have to say that everything works well with a Instagram APK ~1year old, as soon as I update to a newer one, it is not working anymore. Tested with a rooted Android 8 Nexus with certificate installed over terminal / shell. Testes as well with a Android 7 Hafury Mix with user certificate installed the old way. On both the exact same behavior. Old APK is working, as soon as I update on both devices, the error appears. What can I do?

Michelle, PortSwigger Agent | Last updated: Aug 15, 2023 10:35AM UTC

Hi Does the Android device report any issues with the WiFi connectivity being limited? Are you using the default Burp CA certificate on Burp's Proxy Listener? Out of interest, if you create your own certificate for the Proxy Listener to use that includes a 2 character countryName (cn) field and then import this to be used by Burp's Listener, does this help?

You need to Log in to post a reply. Or register here, for free.