Intercepting Mobile Traffic with Burp Suite

When to Use

Use this skill when:

• Testing mobile application API endpoints for authentication, authorization, and injection vulnerabilities
• Analyzing data transmitted between mobile apps and backend servers during penetration tests
• Evaluating certificate pinning implementations and their bypass difficulty
• Identifying sensitive data leakage in mobile network traffic

Do not use this skill to intercept traffic from applications you are not authorized to test -- traffic interception without authorization violates computer fraud laws.

Prerequisites

• Burp Suite Professional or Community Edition installed on testing workstation
• Android device/emulator or iOS device on the same network as Burp Suite host
• Burp Suite CA certificate installed on the target device
• For Android 7+: Network security config modification or Magisk module for system CA trust
• For SSL pinning bypass: Frida + Objection or custom Frida scripts
• Wi-Fi network where proxy configuration is possible

Workflow

Step 1: Configure Burp Suite Proxy Listener

Burp Suite > Proxy > Options > Proxy Listeners:
- Bind to address: All interfaces (or specific IP)
- Bind to port: 8080
- Enable "Support invisible proxying"

Verify the listener is active and note the workstation's IP address on the shared network.

Step 2: Configure Mobile Device Proxy

Android:

Settings > Wi-Fi > [Network] > Advanced > Manual Proxy
- Host: <burp_workstation_ip>
- Port: 8080

iOS:

Settings > Wi-Fi > [Network] > Configure Proxy > Manual
- Server: <burp_workstation_ip>
- Port: 8080

Step 3: Install Burp Suite CA Certificate

Android (below API 24):

# Export Burp CA from Proxy > Options > Import/Export CA Certificate
# Transfer to device and install via Settings > Security > Install from storage

Android (API 24+ / Android 7+): Apps targeting API 24+ do not trust user-installed CAs by default. Options:

# Option A: Modify app's network_security_config.xml (requires APK rebuild)
# Add to res/xml/network_security_config.xml:
# <network-security-config>
#   <debug-overrides>
#     <trust-anchors>
#       <certificates src="user" />
#     </trust-anchors>
#   </debug-overrides>
# </network-security-config>

# Option B: Install as system CA (rooted device)
openssl x509 -inform DER -in burp-ca.der -out burp-ca.pem
HASH=$(openssl x509 -inform PEM -subject_hash_old -in burp-ca.pem | head -1)
cp burp-ca.pem "$HASH.0"
adb push "$HASH.0" /system/etc/security/cacerts/
adb shell chmod 644 /system/etc/security/cacerts/$HASH.0

# Option C: Magisk module (MagiskTrustUserCerts)

iOS:

1. Navigate to http://<burp_ip>:8080 in Safari
2. Download Burp CA certificate
3. Settings > General > VPN & Device Management > Install profile
4. Settings > General > About > Certificate Trust Settings > Enable full trust

Step 4: Intercept and Analyze Traffic

With proxy configured, open the target app and navigate through its functionality:

Burp Suite > Proxy > HTTP History: Review all captured requests and responses.

Key areas to analyze:

• Authentication tokens: JWT structure, token expiration, refresh mechanisms
• API endpoints: RESTful paths, GraphQL queries, parameter patterns
• Sensitive data in transit: PII, credentials, financial data
• Response headers: Security headers (HSTS, CSP, X-Frame-Options)
• Error responses: Stack traces, debug information, internal paths

Step 5: Test API Vulnerabilities Using Burp Repeater

Forward intercepted requests to Repeater for manual testing:

Right-click request > Send to Repeater

Test categories:
- Authentication bypass: Remove/modify auth tokens
- IDOR: Modify user IDs, object references
- Injection: SQL injection, NoSQL injection in parameters
- Rate limiting: Rapid request replay for brute force assessment
- Business logic: Modify prices, quantities, permissions in requests

Step 6: Automate Testing with Burp Scanner

Right-click request > Do active scan (Professional only)

Scanner checks:
- SQL injection (error-based, blind, time-based)
- XSS (reflected, stored)
- Command injection
- Path traversal
- XML/JSON injection
- Authentication flaws

Step 7: Handle Certificate Pinning

If traffic is not visible due to certificate pinning:

# Frida-based bypass (generic)
frida -U -f com.target.app -l ssl-pinning-bypass.js

# Objection bypass
objection --gadget com.target.app explore
ios sslpinning disable  # or
android sslpinning disable

Key Concepts

Tools & Systems

• Burp Suite Professional: Full-featured web application security testing proxy with active scanner
• Burp Suite Community: Free version with manual interception and basic tools
• Frida: Dynamic instrumentation for runtime SSL pinning bypass
• mitmproxy: Open-source alternative to Burp Suite for programmatic traffic analysis
• Charles Proxy: Alternative HTTP proxy with mobile-friendly certificate installation

Common Pitfalls

• Android 7+ CA trust: User-installed certificates are not trusted by apps targeting API 24+. Must use system CA installation or app modification.
• Certificate transparency: Some apps use Certificate Transparency logs to detect MITM. Check for CT enforcement in the app.
• Non-HTTP protocols: Burp Suite only handles HTTP/HTTPS. Use Wireshark for WebSocket, MQTT, gRPC, or custom binary protocols.
• VPN-based apps: Apps using VPN tunnels bypass device proxy settings. May need iptables rules on a rooted device to redirect traffic.