intercepting-mobile-traffic-with-burpsuite

# Intercepting Mobile Traffic with Burp Suite

## When to Use

Use this skill when:
- Testing mobile application API endpoints for authentication, authorization, and injection vulnerabilities
- Analyzing data transmitted between mobile apps and backend servers during penetration tests
- Evaluating certificate pinning implementations and their bypass difficulty
- Identifying sensitive data leakage in mobile network traffic

**Do not use** this skill to intercept traffic from applications you are not authorized to test -- traffic interception without authorization violates computer fraud laws.

## Prerequisites

- Burp Suite Professional or Community Edition installed on testing workstation
- Android device/emulator or iOS device on the same network as Burp Suite host
- Burp Suite CA certificate installed on the target device
- For Android 7+: Network security config modification or Magisk module for system CA trust
- For SSL pinning bypass: Frida + Objection or custom Frida scripts
- Wi-Fi network where proxy configuration is possible

## Workflow

### Step 1: Configure Burp Suite Proxy Listener

```
Burp Suite > Proxy > Options > Proxy Listeners:
- Bind to address: All interfaces (or specific IP)
- Bind to port: 8080
- Enable "Support invisible proxying"
```

Verify the listener is active and note the workstation's IP address on the shared network.

### Step 2: Configure Mobile Device Proxy

**Android:**
```
Settings > Wi-Fi > [Network] > Advanced > Manual Proxy
- Host: <burp_workstation_ip>
- Port: 8080
```

**iOS:**
```
Settings > Wi-Fi > [Network] > Configure Proxy > Manual
- Server: <burp_workstation_ip>
- Port: 8080
```

### Step 3: Install Burp Suite CA Certificate

**Android (below API 24):**
```bash
# Export Burp CA from Proxy > Options > Import/Export CA Certificate
# Transfer to device and install via Settings > Security > Install from storage
```

**Android (API 24+ / Android 7+):**
Apps targeting API 24+ do not trust user-installed CAs by default. Options:
```bash
# Option A: Modify app's network_security_config.xml (requires APK rebuild)
# Add to res/xml/network_security_config.xml:
# <network-security-config>
#   <debug-overrides>
#     <trust-anchors>
#       <certificates src="user" />
#     </trust-anchors>
#   </debug-overrides>
# </network-security-config>

# Option B: Install as system CA (rooted device)
openssl x509 -inform DER -in burp-ca.der -out burp-ca.pem
HASH=$(openssl x509 -inform PEM -subject_hash_old -in burp-ca.pem | head -1)
cp burp-ca.pem "$HASH.0"
adb push "$HASH.0" /system/etc/security/cacerts/
adb shell chmod 644 /system/etc/security/cacerts/$HASH.0

# Option C: Magisk module (MagiskTrustUserCerts)
```

**iOS:**
```
1. Navigate to http://<burp_ip>:8080 in Safari
2. Download Burp CA certificate
3. Settings > General > VPN & Device Management > Install profile
4. Settings > General > About > Certificate Trust Settings > Enable full trust
```

### Step 4: Intercept and Analyze Traffic

With proxy configured, open the target app and navigate through its functionality:

**Burp Suite > Proxy > HTTP History**: Review all captured requests and responses.

Key areas to analyze:
- **Authentication tokens**: JWT structure, token expiration, refresh mechanisms
- **API endpoints**: RESTful paths, GraphQL queries, parameter patterns
- **Sensitive data in transit**: PII, credentials, financial data
- **Response headers**: Security headers (HSTS, CSP, X-Frame-Options)
- **Error responses**: Stack traces, debug information, internal paths

### Step 5: Test API Vulnerabilities Using Burp Repeater

Forward intercepted requests to Repeater for manual testing:

```
Right-click request > Send to Repeater

Test categories:
- Authentication bypass: Remove/modify auth tokens
- IDOR: Modify user IDs, object references
- Injection: SQL injection, NoSQL injection in parameters
- Rate limiting: Rapid request replay for brute force assessment
- Business logic: Modify prices, quantities, permissions in requests
```

### Step 6: Automate Testing with Burp Scanner

```
Right-click request > Do active scan (Professional only)

Scanner checks:
- SQL injection (error-based, blind, time-based)
- XSS (reflected, stored)
- Command injection
- Path traversal
- XML/JSON injection
- Authentication flaws
```

### Step 7: Handle Certificate Pinning

If traffic is not visible due to certificate pinning:

```bash
# Frida-based bypass (generic)
frida -U -f com.target.app -l ssl-pinning-bypass.js

# Objection bypass
objection --gadget com.target.app explore
ios sslpinning disable  # or
android sslpinning disable
```

## Key Concepts

| Term | Definition |
|------|-----------|
| **MITM Proxy** | Man-in-the-middle proxy that terminates and re-establishes TLS connections to inspect encrypted traffic |
| **Certificate Pinning** | Client-side validation that restricts accepted server certificates beyond the OS trust store |
| **Network Security Config** | Android XML configuration controlling app trust anchors, cleartext traffic policy, and certificate pinning |
| **Invisible Proxying** | Burp feature handling non-proxy-aware clients that don't send CONNECT requests |
| **IDOR** | Insecure Direct Object Reference -- accessing resources by manipulating identifiers without authorization checks |

## Tools & Systems

- **Burp Suite Professional**: Full-featured web application security testing proxy with active scanner
- **Burp Suite Community**: Free version with manual interception and basic tools
- **Frida**: Dynamic instrumentation for runtime SSL pinning bypass
- **mitmproxy**: Open-source alternative to Burp Suite for programmatic traffic analysis
- **Charles Proxy**: Alternative HTTP proxy with mobile-friendly certificate installation

## Common Pitfalls

- **Android 7+ CA trust**: User-installed certificates are not trusted by apps targeting API 24+. Must use system CA installation or app modification.
- **Certificate transparency**: Some apps use Certificate Transparency logs to detect MITM. Check for CT enforcement in the app.
- **Non-HTTP protocols**: Burp Suite only handles HTTP/HTTPS. Use Wireshark for WebSocket, MQTT, gRPC, or custom binary protocols.
- **VPN-based apps**: Apps using VPN tunnels bypass device proxy settings. May need iptables rules on a rooted device to redirect traffic.