Burp community forum

Intercept SSL traffic for Android Nougat 7 and above version.

Pavan | Last updated: Aug 20, 2019 07:07AM UTC

Hi, do I need to decompile, add the security config xml file in application folder and recomiple every time while doing security testing in Android Nougat 7 and above versions ? As I am facing difficulty in testing android apps, needed more clarification on this. Thank you

Liam, PortSwigger Agent | Last updated: Aug 20, 2019 11:43AM UTC

Since Android Nougat, Android no longer trusts user or admin supplied CA certificates. Is it possible that the app isn't respecting some of the settings you have configured? Have you checked out this blog? https://blog.nviso.be/2018/01/31/using-a-custom-root-ca-with-burp-for-inspecting-android-n-traffic/

Burp User | Last updated: Aug 21, 2019 01:59PM UTC

@Liam Tai-Hogan Thank you so much it worked. Added below code in respective xml files. Added below code under Network security config xml file <network-security-config> <base-config> <trust-anchors> <!-- Trust preinstalled CAs --> <certificates src="system" /> <!-- Additionally trust user added CAs --> <certificates src="user" /> </trust-anchors> </base-config> </network-security-config> Added below code under Android Manifest.xml <application android:allowBackup="true" android:networkSecurityConfig="@xml/network_security_config" ...etc...>

Liam, PortSwigger Agent | Last updated: Aug 21, 2019 03:13PM UTC

Thanks for letting us know Pavan.

You need to Log in to post a reply. Or register here, for free.