Tuesday, April 17, 2018

Getting Burp interception to work in Android Nougat - April 2018

Apparently, it's gotten much harder to intercept mobile app traffic with Burp since my last work a year ago, so guides like this one from Portswigger no longer work. This is detailed in a great guide here:

https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/

"Starting with Nougat, Android changed the default behavior of trusting user installed certificates. It's no longer possible to just install the Burp CA from the sdcard to start intercepting app traffic. Unless otherwise specified, apps will now only trust system level CAs. The failure happens "invisibly" and is responsible for all the alerts I saw in Burp Suite."

I followed the guide in this article (using a Windows 7 machine), choosing to unpack the apk with apktool as my new Pixel 2 is not rooted, but ran into a bunch of issues:

1. To unpack the apk tool required using an older version of apktool (2.2.2).
2. To re-pack the apk tool required using the latest version of apktool (2.3.1 at the time of this writing) but first following the procedure outlined in this bug report (running apktool empty-framework-dir)
3. Installing OpenJDK 8 to get keytool.exe and jarsigner.exe.
4. Opening the Command Line Interface (cmd) as administrator to run the jarsigner tool.
5. Install AndroZip on the phone to access the destination folder for the new apk file and install it from there, to get the prompt to install untrusted apps.


Another resource: https://serializethoughts.com/2016/09/10/905/

Update 5-1: This wound up not working for the app I was using. Instead I used an app called Packet Capture to look at the packets on the phone directly.

No comments: