Signup/Sign In

Intercept Android app traffic in Burp Suite: From root to hack [ULTIMATE GUIDE]

Posted in Programming   JULY 29, 2022

    In this article, You'll learn how to root an android device (get superuser access), configure burp proxy, install CA certificate to intercept https traffic, bypass SSL pinning and root detection. You can also use android emulators like genimotion. We are going to use Magisk Manager and Xposed Installer to bypass SSL pinning and root detection.

    Why bother learning this stuff? Simple reason is to compete with less number of hackers (working on Android) than on webapps. Also, there is no easy guide that covers all mobile devices. Hence, this is the path less taken.

    Disclaimer: This whole process could take 15 minutes to whole day depending upon the device (android sdk) and the app. So, please be patient and read everything carefully. Also, this whole thing is for educational purposes only.

    CPU-Z App showing info of your smartphone

    Steps similar to intercepting web browser traffic

    Let's start with easiest and basic part to capture http, https traffic of web browser and the apps that don't have SSL Pinning enabled.

    Follow these steps:

    • Connect your PC (with Burp Suite installed) and Android to the same network.

      Note: Here my PC's IP is 192.168.43.20 and Android phone's IP is 192.168.43.180

    • Start Burp Suite and set proxy to listen on all interfaces.
      Burp Suite proxy listening on port 8080 and all interfaces

    • Set manual proxy in Android's WIFI settings.

    • In web browser, go to http://burp/ and download the CA certificate. Rename the .der extension to .cer.

    • Go to settings and search for certificate and install the certificate.

    Now you'll be able to intercept HTTP/HTTPS traffic from web browsers and a very few apps which do not have SSL Pinning enabled.

    Advanced bypassing SSL pinning

    If the app has SSL Pinning enabled we have to root the android device to bypass it (and root detection also).

    Follow these steps following steps.

    How to root a Android Device

    It is basically unlocking the bootloader. You need to search specifically for your device to do that because it is different for every Android phone companies. Use google, youtube, XDA forums (best) to get the right steps.

    Install custom recovery

    There are two main Android recovery projects — TWRP and OrangeFox. It would be great if they provide official recovery for your device. Otherwise you can use XDA forums to get unofficial but working recoveru image. Now, follow these steps-

    • Boot your Android device into fastboot/download/flash mode.

    • Connect your android device with a USB cable to your PC. (also install required drivers)

    • Install fastboot in your PC

    • Use android platform tools in Windows. Extract the zip file. and place recovery .img files downloaded earlier in same folder.

    • For Linux run these commands — apt install adb fastboot -y

    • open powershell/terminal and go to that same folder used above. and run this command. fastboot boot recovery.img

    Install Magisk Manager

    It is an open source tool to manager root access for apps, install modules, flash images, etc. Follow these steps-

    • Get the official apk file of magisk manager from Github.

    • Change the extension from .apk to .zip.

    • Got to custom recovery by following above steps.

    • Tap install and go to magisk file location and flash it. Reboot device.

    • Change magisk extension back to .apk. Install the app.

    Magisk homepage after full installation

    Install Xposed installer (and edXposed manager)

    At last our main goal to bypass SSL Pinning is to install Xposed installer.

    Method 1: Simple installation

    Follow these steps:

    • Download Xposed installer from official website for your android version.

    • Click install and wait for download to complete, then install it.

    • If you see the green banner, then you can skip next methods.

    Allow Super user permission to Xposed installer

    Method 2: using Magisk module

    This is for Android oreo & newer 8.0+ versions. Follow these steps:

    • Download two magisk modules from here1 and here2. One extra module if you like here3.

    • Install module from storage and reboot the device.

    If the download for Xposed fails, then get the zip files for your sdk from the redirected website.

    Magisk app after installing required modules.

    Method 3: Flash using custom recovery (TWRP/OrangeFox)

    Follow these steps:

    • Download the zip files from the redirected links for your android SDK version. also download this extra zip file from here.

    • Boot to recovery with steps mentioned above.

    • Click install and reboot to the system.

    • Check Xposed installer status again. Click activate slide if not already.

    Now you should have Xposed installed on your system.

    Install Xposed modules

    • Go to downloads with menu button on top left corner.

    • Download and install three modules. — RootCloak, SSL Pinning Bypass and Trust Me.

      Installed module in Xposed manager/installer

    • Activate these modules and Soft reboot the device.

    • Go to SSL Pinning Bypass app. Click on the app to bypass SSL pinning on it.

      SSL pinning bypassed

    Summary

    Steps to bypass SSL Pinning using Xposed Framework.

    1. Setup and use Burp Proxy.

    2. Install Burp Suite's CA certificate.

    3. Unlock bootloader and install custom recovery.

    4. Install Magisk manager and modules.

    5. Download and install Xposed Installer Framework.

    6. Download and Install Module SSLUnpinning 2.0 and Root Cloak in Xposed Installer Framework.

    7. Open Xposed Installer and then enable SSLUnpinning 2.0 and Root Cloak modules.

    8. Go to new created app icon of SSL Unpinning and click on the desired app to bypass SSL pinning.

    Thank you for reading, Have a creative day!

    Published by: sam5epi0l
    Tags:EthicalHackingAndroidBurpSuiteHowTo
    IF YOU LIKE IT, THEN SHARE IT
     

    RELATED POSTS