2024-05-07
Prerequisites
- Burp Suite
- openssl (optional)
Step 1 – Setting up Burp Suite
- In Burp Suite, go to the Proxy tab.
- Click Proxy Settings.
- Listen on port 8080 from all interfaces.
- Click import/export CA certificate.
- Export the certificate in DER format.
- Choose a path and name the file with a .der extension.
- Click Next.
- We will use Burp_cert.der as the example name for this tutorial.
Step 2 – Upload and install the Burp Suite Certificate
- Start your device.
- Drag’n drop the Burp_cert.der file you generated to the device display.
- Go to Android Settings and install a certificate.
- In the results, click Install certificates from SD Card and select CA certificate.
- Click Install anyway to bypass the warning.
- Navigate to /sdcard/Download and click on Burp_cert.der.
- If using Android 9 or below, you may be requested to set a secure lock screen. Comply and set a lock.
- To verify whether the certificate is properly installed, go to Android settings, and click Trusted credentials.
- You should see the certificate in the USER tab.
- This method alters the Android system significantly and may break the device.
- Use with extreme care and only if necessary!
Android 14+
- Android 14 is not rooted by default, so make sure that the device is rooted before going any further.
- Please refer to Genymotion Desktop on-line documentation for more details.
- Root the device.
- Install Magisk.
- Follow the instructions from our FAQ to install Magisk: How to install Magisk on Genymotion?
- Install the certificate as user certificate.
- Install the Cert-Fix plugin for Magisk.
- Download Cert-Fixer.zip from Cert-Fixer github repository.
- Upload the file to the device. You can either use adb push Cert-Fixer.zip /sdcard/Download or simply drag’n drop the file to the device display.
- Open Magisk and go to the Plugins section.
- Click Install from storage and select Cert-Fixed.zip from the Download folder (/sdcard/Download).
- Wait for the plugin to install.
- When done, click Reboot to reboot the device.
- After a reboot, the Burp Suite CA certificate (“PortSwigger CA”) should now be installed as a system certificate.
- Warning: The Cert-Fix plugin will copy any user certificate as system certificate on boot. If you don’t need to install any other system certificates, make sure to disable the plugin to avoid installing system certificates by mistake.
Android 12-13
- Root the device.
- Android 12-13 images are not rooted by default, so make sure that the device is rooted before going any further.
- Please refer to Genymotion Desktop on-line documentation for more details.
- Convert the certificate.
- We need to convert the Burp certificate into PEM format. Use openssl to convert DER to PEM, then output the subject_hash_old.
- OpenSSL commands for DER to PEM conversion:
openssl x509 -inform DER -in Burp_cert.der -out Burp_cert.pem
openssl x509 -inform PEM -subject_hash_old -in Burp_cert.pem |head -1
- Rename the file with the output hash from the last command. For example, if the hash is 9a5ba575, then rename the file as 9a5ba575.0:
mv Burp_cert.pem 9a5ba575.0
- Install the certificate.
- First, make the /system partition writable:
adb root
adb shell 'mount -o rw,remount /'
- Upload the certificate:
adb push 9a5ba575.0 /system/etc/security/cacerts/
- Change the certificate permissions:
adb shell chmod 644 /system/etc/security/cacerts/9a5ba575.0
- Reboot the device.
- After the device reboots, Settings -> Security -> Trusted Credentials should show the new “Portswigger CA” as a system trusted CA.
Android 11 and below
- The steps mirror the certificate conversion and system installation described for Android 12-13, including conversion to PEM, hashing, and placing the certificate in /system/etc/security/cacerts with the hashed name.
- Reboot the device after installation.
- Verify Trusted Credentials to confirm the PortSwigger CA is listed under system certificates.
Step 3 – Set Android global proxy to Burp Suite proxy
- Though it is possible to use Android settings, we recommend using the ADB command line tool which is more reliable and easier to handle.
- Note: If you do not have, or wish to install, Android SDK tools, you can use Genymotion ADB built-in tool. Please refer to Genymotion Desktop user guide for more information.
- To set the global proxy, use the following adb command:
adb shell settings put global http_proxy <burp_proxy_ip>:<burp_listening_port>
- <burp_proxy_ip> is the IP of the host machine where Burp Suite is running.
- <burp_listening_port> is Burp Suite Listening port.
- For example, if Burp is running on a host machine with IP 192.168.1.84 and is listening to port 8080, then the command should look like:
adb shell settings put global http_proxy 192.168.1.84:8080
- From then, Internet traffic should be redirected to Burp Suite.
- Note: This setting is global, but applications may have their own proxy settings which cannot be controlled this way. The only solution in this case is to use a third party Android application, such as ProxyDroid, to redirect all traffic from the device to Burp Suite proxy.
- Disable global proxy.
- Important: If the proxy is still set after stopping the device, Wifi may be disabled the next time you start the device. To avoid this, make sure to unset the global proxy before stopping the device.
- Use the following ADB command to unset the proxy:
adb shell settings put global http_proxy :0
Extras
- Genymotion Desktop and Burp Suite run on the same host
With VirtualBox
- Use the IP address 10.0.3.2 from the virtual device to reach Burp Suite.
- IP 10.0.3.2 is a VirtualBox alias to your host loopback interface (i.e., 127.0.0.1 on your host machine).
- If Burp Suite listens to *:8080, the virtual device can access Burp Suite at 10.0.3.2:8080.
- Set Android global proxy to 10.0.3.2:8080:
adb shell settings put global http_proxy 10.0.3.2:8080
With QEMU
- Unlike VirtualBox, there is no loopback interface when using QEMU.
- It is possible to use adb reverse to bind a virtual device local port to a host local port.
- Set Android global proxy to localhost:3333 (or any other available port):
adb shell settings put global http_proxy localhost:3333
- If Burp Suite listens to *:8080, then use:
adb reverse tcp:3333 tcp:8080
- This binds the virtual device local TCP port 3333 to the host machine local TCP port 8080.
Script with gmtool to automate the process
- The following scripts require gmtool advanced commands which are only available with a paid license.
- You can use scripts to combine gmtool and adb to automatically set the proxy and start a device, and unset the proxy while stopping the device. See examples below.
Start script example
#!/bin/bash
## Start your device with gmtool.
## We assume Genymotion is installed in your Home folder.
$home/genymotion/gmtool admin start "your_device_name"
## Set Burp Suite proxy as global proxy to the device.
## We use proxy IP 10.0.3.2 and port 8080. Replace with your own settings.
## We use Genymotion built-in ADB.
$home/genymotion/tools/adb shell settings put global http_proxy 10.0.3.2:8080
Start script example (Windows)
@echo off
REM Start your device with gmtool.
REM We assume Genymotion is installed in "C:\Program Files".
C:\Program Files\Genymobile\Genymotion\gmtool.exe admin start "your_device_name"
REM Set Burp Suite proxy.
REM We use proxy IP 10.0.3.2 and port 8080. Replace with your own settings.
REM We use Genymotion built-in ADB
C:\Program Files\Genymobile\Genymotion\tools\adb shell settings put global http_proxy 10.0.3.2:8080
Stop script example
#!/bin/bash
## Remove the global proxy settings.
$home/genymotion/tools/adb shell settings put global http_proxy :0
## Stop the running device.
$home/genymotion/gmtool admin stop "your_device_name"
Stop script example (Windows)
@echo off
REM Remove the global proxy settings.
C:\Program Files\Genymobile\Genymotion\tools\adb shell settings put global http_proxy :0
REM Stop the running device.
C:\Program Files\Genymobile\Genymotion\gmtool.exe admin stop "your_device_name"
Previous Next
- NEXT