How to Debug HTTP(S) Traffic for Android Apps with Burp Proxy
Everything seems to match specifications but the app does not work? Discover Burp Proxy – one of the best ways of debugging HTTP(S) traffic! Neither source code access nor development skills are needed.
If you have ever developed apps using HTTP(S) APIs you probably encountered situations when the server answered with errors like
400 Bad Request error or your app failed to parse responses throwing exceptions with enigmatic messages like
Unterminated string at line 1 column 57345 and you have no idea what is going on. Everything seems to match specifications but the app does not work. This article will explain one of the ways to debug such cases – Burp Proxy – while your Android mobile app development.
Burp Proxy – what is this?
What is Burp Proxy? The official documentation says:
Burp Proxy allows manual testers to intercept all requests and responses between the browser and the target application, even when HTTPS is being used.
In fact, we can replace a browser with any other app!
Due to the Changes to Trusted Certificate Authorities in Android Nougat this tutorial may not be applicable in all the cases. Burp officially recommends using a device with an Android version older than Nougat or rooted one. However, if the target SDK version is 23 or lower, the mentioned behavior changes are not applied. Even if a device has Android Nougat or newer or app targets API 24 or newer, the app can provide its own network security configuration. Moreover, HTTPS proxy won’t work if the app uses certificate pinning e.g. with okhttp.
Drive Your Product to Success – Free Guide for Digital Product Owners
Even the best team can’t deliver a successful product without proper guidance. If you own a digital product, our Ebook will be a perfect resource for mastering the fundamentals of successful product delivery.GET FREE EBOOK
Firstly, you need to download and launch Burp Suite (free, community edition is sufficient). Remember to whitelist Burp on the firewall if applicable. Then you can enable a proxy module:
Note that machine running proxy has to be accessible from your mobile device or AVD which you are testing on. E.g. they can be in the same WiFi network (wireless client isolation has to be disabled). Choose IP of the appropriate interface in Burp options and confirm using the OK button. Now proxy is running and we can configure the mobile device to use it. Go to WiFi settings, long press appropriate SSID (network name) and choose Modify network option. Then, you can enter proxy IP and port as shown in Figure 2.
If your app uses only HTTP, not HTTPS, that’s all the setup. However, in case of most modern apps, you need to follow the next section.
We need a little bit more steps to support HTTPS. Firstly, open a browser app on a mobile device, go to a proxy IP address and download CA certificate:
Then, change the extension of a CA certificate file to .cer (use .pem if it does not work in the next step).
Finally, you can install a certificate. Go to security settings and find an option to install the certificate from storage. Exact location and name of this option vary between manufacturers and Android versions. Choose an appropriate file and install cert using Wi-Fi credential type:
Let’s inspect it
We’re all set for now and we can start debugging. We’ll try to inspect traffic of an official Wikipedia app. Note that we don’t need to modify an app and we even don’t require source code. Open the app and go to Proxy -> Intercept tab. What’s important, traffic from other apps running in the background will be also intercepted. You can use Forward button to pass it through. The sample result is shown in figure 6.
Interception can be disabled by clicking on Intercept is on the button. In such case, the proxy will forward everything. Note that all the request and responses, no matter if intercepted or not are listed in HTTP history tab:
We can see the whole request including HTTP headers. Apart from examining its contents, we can take several actions:
- Drop –request won’t be sent to server
- Modify – the whole area with contents is editable, content can be changed
- Forward – request (maybe modified) will be sent to server
- Open Action menu – see figure 8.
As you can see Burp suite has a lot of features (there are even books about it). The most important one for us is highlighted. If you choose it and forward the request, the response will be also intercepted. And it can be modified before it reaches the app.
Let’s change it
Now we know the most important theory, so let’s start some practice. For example, we can modify language-related headers in a request. To do that just edit
Host headers. In this example English (corresponding to the locale set on the device) is changed to French:
After forwarding such request we get an app in English but with French content:
We can also modify responses. For example, we can insert additional text into articles:
After forwarding such response, we can see that it is reflected in the app:
HTTP(S) proxy is quite a powerful tool. It allows you to examine, intercept, and modify requests and responses. It may help a lot in-app debugging and can be used even on apps installed from stores. However, restrictions may exist if HTTPS is used on Android Nougat or newer, but Burp Proxy is coming to the rescue! Burp suits has a user-friendly windowed interface and it is super easy to use. Neither source code access nor development skills are needed.
Build a mobile app with experts with 12 years of experience
Our experts help with the whole process from idea to app release
hi, my android device is not reading cert file in cer format. Whether I need to root my device to intercept HTTPS connections from app
What exactly do you mean by “not reading” is there any error message? Is certificate file greyed out and cannot be selected? What is the device model?
According to official documentation: https://support.google.com/nexus/answer/2844832?hl=en
“Android supports DER-encoded X.509 certificates saved in .crt or .cer files. To install a certificate saved in a .der or other file, change the extension to .crt or .cer.”
However on some (non-Nexus/Pixel) devices .pem is recognized instead.
Yes, an error message such as “can’t read file” it says while installing cert in .cer format. Only .der is accepting.
I use Android 7.0. When I use .der, actually I was able to intercept HTTPS request of sites in chrome of android device but certain apps having HTTPS requests are not intercepted.