Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Install a certificate on an Android phone to be able to proxy the traffic coming/going from installed applications

José | Last updated: Jul 10, 2022 03:12AM UTC

I’ve followed the instructions present on: https://portswigger.net/support/configuring-an-android-device-to-work-with-burp and on https://portswigger.net/support/installing-burp-suites-ca-certificate-in-an-android-device to be able to use Burp as a proxy for my phone. I’ve tried renaming the file for .der to .cer but when I installed the .cer file on the phone I got the same security warnings that I did receive without installing the certificate. What I did was to convert the .der file to .pem using this command “openssl x509 -inform der -in cacert.der -out cacert.pem” to be able to install it on my phone, since my phone didn’t allow me to install the .der file as a certificate but it allowed the installation of the .pem file. I did so, and the security warnings disappeared! On your tutorial where you specify to “You can check the Certificate is installed by tapping the “Trusted credentials" button. Tap the "User" tab in the “Trusted credentials” window to show the PortSwigger CA certificate.” I did so and was able to see the certificate just like in your image on both cases stated above. My problem/bug is that, although I’m able to see the traffic generated by Chrome on my phone, I’m unable to see the traffic coming/going from installed applications. Can you please advise on what to do to be able to see the traffic coming/going from installed applications? Thanks in advance!

Ben, PortSwigger Agent | Last updated: Jul 11, 2022 10:31AM UTC

Hi José, I have just replied to the email that you also sent us about this issue but, for completeness, will repeat the reply in this forum thread as well. To give a quick overview - if you are using a mobile device that is running Android 7.0 and above then you would need to install the Burp CA certificate as a system level certificate (this is due to a change in how the trust settings work for user supplied certificates from this version of Android onwards). It sounds like you might have already done this (or some of the steps at least) but I would generally recommend following the steps described in the guide below (the steps in the 'Install Burp CA as a system-level trusted CA' section) in order to carry this out: https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/ Essentially, you need to convert the existing certificate and then place it in the location in which the system level certificates reside on your device (bear in mind that this needs to be carried out on a rooted device or emulator). Once you have carried out the above steps, can you confirm whether you still see the same behaviour so that, if so, we can suggest some further troubleshooting steps?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.