1

I am following this tutorial to intercept https traffic with burp proxy on my laptop. I have passed all steps but i can not see any traffic.

I have Android Studio installed with Android Emulator:

Name: Pixel_4_API_29 
Version: Android 10.0
CPU/ABI: Intel Atom (x86_64) 
Target: default [Default Android System Image] (API level 29)
Skin: pixel_4 SD Card: 512M
...

This device is rooted and i have installed system trusted certificate on it:

System/Security/.../Trusted Credentials/PortSwigger.CA

I have read this article and it implies that with system trusted certificate i can intercept simple https traffic from my android device.

What am i doing wrong? I appreciate for any help!

Anna Schmidt
  • 21
  • 1
  • If you cannot see any traffic than there either no traffic is generated or the traffic is not send through burp, i.e. there is no proxy configured, the app is ignoring the proxy setting or similar. Just configuring the CA is not enough to make the traffic actually send through Burp, it is only done to trust the certificate generated by Burp. – Steffen Ullrich Jun 27 '21 at 16:41
  • @SteffenUllrich yes, the problem was in burp configuration, thank you! Now i can see https traffic from browser, but some apps are still not working. Probably they use their own certificates and i need to modify application code to see https requests? – Anna Schmidt Jun 27 '21 at 17:26
  • Same as for the other apps - it might be that they don't produce any traffic or that they don't use the configured proxy. It might also be that they are refusing to trust the certificate from burp, i.e. that they do certificate pinning and not use the system CA. – Steffen Ullrich Jun 27 '21 at 17:32
  • You can try to break certificate pinning of those non-working apps using Frida/Objection or system wide using EdXposed + TrustMeAlready. For more details see "Rooted devices" section in https://stackoverflow.com/a/62731432/150978 – Robert Jun 28 '21 at 11:35

0 Answers0