2.2 KiB
Android-Pentesting- Android Appsec (Kotlin) HTTP & HTTPS Traffic
Android Appsec is an intentionally made vulnerable application made by https://twitter.com/hpandro1337 for educating about securtiy in android applications for learning purposes so I will be taking a look into intercepting HTTP and HTTPS traffic which comes in SSL pinning and it's a security flaw that developers leave in their applications as if one could intercept the requests being made from the application he can read the secrets , plain text data if not encrypted
To intercept the requets on burp suite we need to first install the certificate , this can be installed quite easilty.
You can follow this guide to install burp's certificate
https://portswigger.net/support/installing-burp-suites-ca-certificate-in-an-android-device
After installing the certificate , make sure that your burp's listener is running on all interfaces
Add the IP address of your host machine in the network's proxy configuration
Now let's test this to see if we can intercept HTTP traffic
Intercepting HTTP Traffic
As we click on Reload button while having the intercept turned on we can intercept the request
Send the request to repeater to get the response
Intercepting HTTPS Traffic
Now intercepting https traffic may or maynot be easy as this is where ssl pinning comes in
As you can see this is not intercepting https traffic even tho we have added the burp certificate , so it will only allow the https traffic only through a trusted certificate so we need to bypass this , this can bypassed through objection
objection --gadget com.hpandro.androidsecurity explore
android sslpinning disable
Now if we try to intercept it , it will work
