Intercepting Mobile Traffic with Burp Suite

When to Use

Use this skill when:

• Testing mobile application API endpoints for authentication, authorization, and injection vulnerabilities
• Analyzing data transmitted between mobile apps and backend servers during penetration tests
• Evaluating certificate pinning implementations and their bypass difficulty
• Identifying sensitive data leakage in mobile network traffic

Do not use this skill to intercept traffic from applications you are not authorized to test -- traffic interception without authorization violates computer fraud laws.

Prerequisites

• Burp Suite Professional or Community Edition installed on testing workstation
• Android device/emulator or iOS device on the same network as Burp Suite host
• Burp Suite CA certificate installed on the target device
• For Android 7+: Network security config modification or Magisk module for system CA trust
• For SSL pinning bypass: Frida + Objection or custom Frida scripts
• Wi-Fi network where proxy configuration is possible

Workflow

Step 1: Configure Burp Suite Proxy Listener

Burp Suite > Proxy > Options > Proxy Listeners:
- Bind to address: All interfaces (or specific IP)
- Bind to port: 8080
- Enable "Support invisible proxying"

Verify the listener is active and note the workstation's IP address on the shared network.

Step 2: Configure Mobile Device Proxy

Android:

Settings > Wi-Fi > [Network] > Advanced > Manual Proxy
- Host: <burp_workstation_ip>
- Port: 8080

iOS:

Settings > Wi-Fi > [Network] > Configure Proxy > Manual
- Server: <burp_workstation_ip>
- Port: 8080

Step 3: Install Burp Suite CA Certificate

Android (below API 24):

# Export Burp CA from Proxy > Options > Import/Export CA Certificate
# Transfer to device and install via Settings > Security > Install from storage

Android (API 24+ / Android 7+): Apps targeting API 24+ do not trust user-installed CAs by default. Options:

# Option A: Modify app's network_security_config.xml (requires APK rebuild)
# Add to res/xml/network_security_config.xml:
# <network-security-config>
#   <debug-overrides>
#     <trust-anchors>
#       <certificates src="user" />
#     </trust-anchors>
#   </debug-overrides>
# </network-security-config>

# Option B: Install as system CA (rooted device)
openssl x509 -inform DER -in burp-ca.der -out burp-ca.pem
HASH=$(openssl x509 -inform PEM -subject_hash_old -in burp-ca.pem | head -1)
cp burp-ca.pem "$HASH.0"
adb push "$HASH.0" /system/etc/security/cacerts/
adb shell chmod 644 /system/etc/security/cacerts/$HASH.0

# Option C: Magisk module (MagiskTrustUserCerts)

iOS:

1. Navigate to http://<burp_ip>:8080 in Safari
2. Download Burp CA certificate
3. Settings > General > VPN & Device Management > Install profile
4. Settings > General > About > Certificate Trust Settings > Enable full trust

Step 4: Intercept and Analyze Traffic

With proxy configured, open the target app and navigate through its functionality:

Burp Suite > Proxy > HTTP History: Review all captured requests and responses.

Key areas to analyze:

• Authentication tokens: JWT structure, token expiration, refresh mechanisms
• API endpoints: RESTful paths, GraphQL queries, parameter patterns
• Sensitive data in transit: PII, credentials, financial data
• Response headers: Security headers (HSTS, CSP, X-Frame-Options)
• Error responses: Stack traces, debug information, internal paths

Step 5: Test API Vulnerabilities Using Burp Repeater

Forward intercepted requests to Repeater for manual testing:

Right-click request > Send to Repeater

Test categories:
- Authentication bypass: Remove/modify auth tokens
- IDOR: Modify user IDs, object references
- Injection: SQL injection, NoSQL injection in parameters
- Rate limiting: Rapid request replay for brute force assessment
- Business logic: Modify prices, quantities, permissions in requests

Step 6: Automate Testing with Burp Scanner

Right-click request > Do active scan (Professional only)

Scanner checks:
- SQL injection (error-based, blind, time-based)
- XSS (reflected, stored)
- Command injection
- Path traversal
- XML/JSON injection
- Authentication flaws

Step 7: Handle Certificate Pinning

If traffic is not visible due to certificate pinning:

# Frida-based bypass (generic)
frida -U -f com.target.app -l ssl-pinning-bypass.js

# Objection bypass
objection --gadget com.target.app explore
ios sslpinning disable  # or
android sslpinning disable

Key Concepts

Term	Definition
MITM Proxy	Man-in-the-middle proxy that terminates and re-establishes TLS connections to inspect encrypted traffic
Certificate Pinning	Client-side validation that restricts accepted server certificates beyond the OS trust store
Network Security Config	Android XML configuration controlling app trust anchors, cleartext traffic policy, and certificate pinning
Invisible Proxying	Burp feature handling non-proxy-aware clients that don't send CONNECT requests
IDOR	Insecure Direct Object Reference -- accessing resources by manipulating identifiers without authorization checks

Tools & Systems

• Burp Suite Professional: Full-featured web application security testing proxy with active scanner
• Burp Suite Community: Free version with manual interception and basic tools
• Frida: Dynamic instrumentation for runtime SSL pinning bypass
• mitmproxy: Open-source alternative to Burp Suite for programmatic traffic analysis
• Charles Proxy: Alternative HTTP proxy with mobile-friendly certificate installation

Common Pitfalls

• Android 7+ CA trust: User-installed certificates are not trusted by apps targeting API 24+. Must use system CA installation or app modification.
• Certificate transparency: Some apps use Certificate Transparency logs to detect MITM. Check for CT enforcement in the app.
• Non-HTTP protocols: Burp Suite only handles HTTP/HTTPS. Use Wireshark for WebSocket, MQTT, gRPC, or custom binary protocols.
• VPN-based apps: Apps using VPN tunnels bypass device proxy settings. May need iptables rules on a rooted device to redirect traffic.