Not able intercept the android app communication using burp suite proxy, help is required
2,026 views
Skip to first unread message
Kanak KV
Nov 3, 2016, 11:53:30 AM11/3/16
to null-...@googlegroups.com
Hi Team,
While doing the android app security testing, Iam not able intercept the app communication using burp suite proxy free version 1.7.03. But Iam able to intercept the browser communication from android device using burp proxy tool. Moreover android app is not having any SSL pinning.
App communication is not going via burp tool and able to login to the app directly even configured the android device with binding with laptop ip address with port as well. Burp certificate is also installed on device, both device and laptop on same wi-fi.
Please help me with how to intercept the app communication using the burp proxy tool. Thanks in advance.
Thanks,
Kanak
While doing the android app security testing, Iam not able intercept the app communication using burp suite proxy free version 1.7.03. But Iam able to intercept the browser communication from android device using burp proxy tool. Moreover android app is not having any SSL pinning.
App communication is not going via burp tool and able to login to the app directly even configured the android device with binding with laptop ip address with port as well. Burp certificate is also installed on device, both device and laptop on same wi-fi.
Please help me with how to intercept the app communication using the burp proxy tool. Thanks in advance.
Thanks,
Kanak
Kanak KV
Nov 3, 2016, 12:06:53 PM11/3/16
to Ajay Nunna, null-...@googlegroups.com
Hi Ajay,
It is a e-commerce app and requires internet connection to communicate. While opening the app there is no alert in burp.
Regards,
KV KanakOn Thu, Nov 3, 2016 at 9:29 PM, Ajay Nunna <aj.n...@gmail.com> wrote:
Hi Kanak,Did you check these things?1. What kinda app it is,whether it requires internet connection,any local database with in the app2. When you configure burp proxy and opening the app,are there any alerts generated in the burp alerts section.Regards,Ajay Nunna
--
______________________________________________________________________________
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
______________________________________________________________________________
se7enth edition of nullcon Goa (Mar 9-12, 2016)
http://nullcon.net
---
You received this message because you are subscribed to the Google Groups "null" group.
To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+unsubscribe@googlegroups.com.
Visit this group at https://groups.google.com/group/null-co-in.
For more options, visit https://groups.google.com/d/optout.
sabari ganesh
Nov 3, 2016, 12:19:14 PM11/3/16
to null-...@googlegroups.com
Import certificate to the android device
Ajay Nunna
Nov 3, 2016, 12:19:14 PM11/3/16
to null-...@googlegroups.com, kana...@gmail.com
Hi Kanak,
Did you check these things?
1. What kinda app it is,whether it requires internet connection,any local database with in the app
2. When you configure burp proxy and opening the app,are there any alerts generated in the burp alerts section.
Regards,
Ajay Nunna
On Thu, Nov 3, 2016 at 9:23 PM, Kanak KV <kana...@gmail.com> wrote:
anand gupta
Nov 7, 2016, 3:09:52 AM11/7/16
to null-...@googlegroups.com, kana...@gmail.com
Hi kanak,
There are following "hit & error" methods you can use.
1. Once you configured your device with burp, open browser in your device and check whether burp capture the traffic or not.
2. If not, then install burp certificate in the device.
3. You can use fiddler as well, this works in 99% cases. 😊
4. Sometimes this problem comes because of java version as well. So try different java versions.
Hope it will help!
Thanks
Anand Gupta
Kanak KV
Nov 7, 2016, 3:44:24 PM11/7/16
to anand gupta, null-...@googlegroups.com
On Sun, Nov 6, 2016 at 2:54 PM, anand gupta <19an...@gmail.com> wrote:
Hi Anand,
Hi Anand,
Thanks for the response.
I had installed burp certificate in the device. I am able to intercept the browser communication but not app communication.
The same issue I am facing with other proxy tools also like fiddler, charles as well.
Regards,
KV Kanak
Aaditya Purani
Nov 8, 2016, 5:32:03 AM11/8/16
to null
Hello,
If you had successfully imported CA then Application Traffic Intercepting should work without no problem. Have you tried Intercepting any other Application, or is the problem persisting with this specific application which you are testing ?
Moreover, It's a Good Thing to Install Xposed Framework & thereafter Installing a Module 'Just Trust Me' . This is used for SSL-Unpinning. It's worth to give it a try if you are using Android 5.0.0 + or Android 4.4.4. As you already mentioned `The App doesn't have SSL Pinning` but still give it a shot. I also want to know that when you try to open any HSTS enabled Site in the browser, is your Burp Able to Intercept ? ( If you have Imported Certificate correctly than it should ). Also let me know your Open JDK Version.
Regards,
Aaditya Purani
If you had successfully imported CA then Application Traffic Intercepting should work without no problem. Have you tried Intercepting any other Application, or is the problem persisting with this specific application which you are testing ?
Moreover, It's a Good Thing to Install Xposed Framework & thereafter Installing a Module 'Just Trust Me' . This is used for SSL-Unpinning. It's worth to give it a try if you are using Android 5.0.0 + or Android 4.4.4. As you already mentioned `The App doesn't have SSL Pinning` but still give it a shot. I also want to know that when you try to open any HSTS enabled Site in the browser, is your Burp Able to Intercept ? ( If you have Imported Certificate correctly than it should ). Also let me know your Open JDK Version.
Regards,
Aaditya Purani
khushal
Nov 8, 2016, 5:32:03 AM11/8/16
to T
Hi kanak,
Intercepting the mobile browser communication is like intercepting the web applicatrion. But for native applications you need to install emulator and simulators
--
______________________________________________________________________________
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
______________________________________________________________________________
nullcon 8-bit, Goa (Feb 28 - Mar 04, 2017)
Reply all
Reply to author
Forward
0 new messages