# Android-Pentesting- Android Appsec (Kotlin) HTTP & HTTPS Traffic Android Appsec is an intentionally made vulnerable application made by https://twitter.com/hpandro1337 for educating about securtiy in android applications for learning purposes so I will be taking a look into intercepting HTTP and HTTPS traffic which comes in SSL pinning and it's a security flaw that developers leave in their applications as if one could intercept the requests being made from the application he can read the secrets , plain text data if not encrypted To intercept the requets on burp suite we need to first install the certificate , this can be installed quite easilty. You can follow this guide to install burp's certificate https://portswigger.net/support/installing-burp-suites-ca-certificate-in-an-android-device After installing the certificate , make sure that your burp's listener is running on all interfaces Add the IP address of your host machine in the network's proxy configuration Now let's test this to see if we can intercept HTTP traffic ## Intercepting HTTP Traffic As we click on Reload button while having the intercept turned on we can intercept the request Send the request to repeater to get the response ## Intercepting HTTPS Traffic Now intercepting https traffic may or maynot be easy as this is where ssl pinning comes in As you can see this is not intercepting https traffic even tho we have added the burp certificate , so it will only allow the https traffic only through a trusted certificate so we need to bypass this , this can bypassed through `objection` ``` objection --gadget com.hpandro.androidsecurity explore ``` ``` android sslpinning disable ``` Now if we try to intercept it , it will work ## References - https://portswigger.net/support/installing-burp-suites-ca-certificate-in-an-android-device