hacktricks/mobile-pentesting/android-app-pentesting/android-burp-suite-settings.md

# Burp Suite Configuration for Android

<details>

<summary><strong><a href="https://www.twitch.tv/hacktricks_live/schedule">🎙️ HackTricks LIVE Twitch</a> Wednesdays 5.30pm (UTC) 🎙️ - <a href="https://www.youtube.com/@hacktricks_LIVE">🎥 Youtube 🎥</a></strong></summary>

* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.

</details>

<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">

**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.

{% embed url="https://www.syncubes.com/" %}

**This tutorial was taken from:** [**https://medium.com/@ehsahil/basic-android-security-testing-lab-part-1-a2b87e667533**](https://medium.com/@ehsahil/basic-android-security-testing-lab-part-1-a2b87e667533)

## Add a proxy in Burp Suite to listen.

Address: **192.168.56.1** & Port: **1337**

Choose _**All Interfaces**_ option.

![](https://miro.medium.com/max/700/1\*0Bn7HvqI775Nr5fXGcqoJA.png)

## **Adding listener in Android device.**

Setting → Wifi →WiredSSID (Long press)

Choose Modify network → Check Advance options.

Select Proxy to the manual

![](https://miro.medium.com/max/700/1\*gkDuYqWMldFuYguQuID7sw.png)

Testing connection over http and https using devices browser.

1. http:// (working) tested — [http://ehsahil.com](http://ehsahil.com)

![](https://miro.medium.com/max/700/1\*LJ2uhK2JqKYY\_wYkH3jwbw.png)

2\. https:// certificate error — https://google.com

![](https://miro.medium.com/max/700/1\*M-AoG6Yqo21D9qgQHLCSzQ.png)

## **Installing burp certificate in android device.**

Download burp certificate. — Use your desktop machine to download the certificate.

[https://burp](http://burp)

![](https://miro.medium.com/max/700/1\*f4LjnkNs7oA1f4XokEeiTw.png)

Click on **CA certificate download the certificate.**

The downloaded certificate is in cacert.der extension and Android 5.\* does not recognise it as certificate file.

You can download the cacert file using your desktop machine and rename it from cacert.der to cacert.crt and drop it on Android device and certificate will be automatically added into **file:///sd\_card/downloads.**

**Installing the downloaded certificate.**

Settings →Security →Install certificate from SD cards

Now, goto: sdcard →Downloads → Select cacert.crt

Now, Name it as anything “portswigger”

![](https://miro.medium.com/max/700/1\*lDtlQ1FfcHEytrSZNvs2Mw.png)

You also need to setup the PIN before adding certificate. Verifying the installed certificate using trusted certificates.

Trusted certificates →Users

![](https://miro.medium.com/max/700/1\*dvEffIIS0-dPE6q3ycFx3Q.png)

After installing Certificate SSL endpoints also working fine tested using → [https://google.com](https://google.com)

![](https://miro.medium.com/max/700/1\*lt0ZvZH60HI0ud1eE9jAnA.png)

{% hint style="info" %}
After installing the certificate this way Firefox for Android won't use it (based on my tests), so use a different browser.
{% endhint %}

<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">

**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.

{% embed url="https://www.syncubes.com/" %}

<details>

<summary><strong><a href="https://www.twitch.tv/hacktricks_live/schedule">🎙️ HackTricks LIVE Twitch</a> Wednesdays 5.30pm (UTC) 🎙️ - <a href="https://www.youtube.com/@hacktricks_LIVE">🎥 Youtube 🎥</a></strong></summary>

* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.

</details>