How to Debug HTTP(S) Traffic for Android Apps with Burp Proxy

If you have ever developed apps using HTTP(S) APIs you probably encountered situations when the server answered with errors like 400 Bad Request error or your app failed to parse responses throwing exceptions with enigmatic messages like Unterminated string at line 1 column 57345 and you have no idea what is going on. Everything seems to match specifications but the app does not work. This article will explain one of the ways to debug such cases – Burp Proxy – while your Android mobile app development.

Burp Proxy – what is this?

What is Burp Proxy? The official documentation says:

Burp Proxy allows manual testers to intercept all requests and responses between the browser and the target application, even when HTTPS is being used.

In fact, we can replace a browser with any other app!

The limitation

Due to the Changes to Trusted Certificate Authorities in Android Nougat this tutorial may not be applicable in all the cases. Burp officially recommends using a device with an Android version older than Nougat or rooted one. However, if the target SDK version is 23 or lower, the mentioned behavior changes are not applied. Even if a device has Android Nougat or newer or app targets API 24 or newer, the app can provide its own network security configuration. Moreover, HTTPS proxy won’t work if the app uses certificate pinning e.g. with okhttp.

Setup

Firstly, you need to download and launch Burp Suite (free, community edition is sufficient). Remember to whitelist Burp on the firewall if applicable. Then you can enable a proxy module:

Note that machine running proxy has to be accessible from your mobile device or AVD which you are testing on. E.g. they can be in the same WiFi network (wireless client isolation has to be disabled). Choose IP of the appropriate interface in Burp options and confirm using the OK button. Now proxy is running and we can configure the mobile device to use it. Go to WiFi settings, long press appropriate SSID (network name) and choose Modify network option. Then, you can enter proxy IP and port as shown in Figure 2.

If your app uses only HTTP, not HTTPS, that’s all the setup. However, in case of most modern apps, you need to follow the next section.

HTTPS

We need a little bit more steps to support HTTPS. Firstly, open a browser app on a mobile device, go to a proxy IP address and download CA certificate:

Then, change the extension of a CA certificate file to .cer (use .pem if it does not work in the next step).

Finally, you can install a certificate. Go to security settings and find an option to install the certificate from storage. Exact location and name of this option vary between manufacturers and Android versions. Choose an appropriate file and install cert using Wi-Fi credential type:

Let’s inspect it

We’re all set for now and we can start debugging. We’ll try to inspect traffic of an official Wikipedia app. Note that we don’t need to modify an app and we even don’t require source code. Open the app and go to Proxy -> Intercept tab. What’s important, traffic from other apps running in the background will be also intercepted. You can use Forward button to pass it through. The sample result is shown in figure 6.

Interception can be disabled by clicking on Intercept is on the button. In such case, the proxy will forward everything. Note that all the request and responses, no matter if intercepted or not are listed in HTTP history tab:

We can see the whole request including HTTP headers. Apart from examining its contents, we can take several actions:

• Drop –request won’t be sent to server
• Modify – the whole area with contents is editable, content can be changed
• Forward – request (maybe modified) will be sent to server
• Open Action menu – see figure 8.

As you can see Burp suite has a lot of features (there are even books about it). The most important one for us is highlighted. If you choose it and forward the request, the response will be also intercepted. And it can be modified before it reaches the app.

Let’s change it

Now we know the most important theory, so let’s start some practice. For example, we can modify language-related headers in a request. To do that just edit Accept-Language and Host headers. In this example English (corresponding to the locale set on the device) is changed to French:

After forwarding such request we get an app in English but with French content:

We can also modify responses. For example, we can insert additional text into articles:

After forwarding such response, we can see that it is reflected in the app:

Wrap up

HTTP(S) proxy is quite a powerful tool. It allows you to examine, intercept, and modify requests and responses. It may help a lot in-app debugging and can be used even on apps installed from stores. However, restrictions may exist if HTTPS is used on Android Nougat or newer, but Burp Proxy is coming to the rescue! Burp suits has a user-friendly windowed interface and it is super easy to use. Neither source code access nor development skills are needed.

• Read also: How to Split Pull Requests – Good Practices, Methods and Git Strategies

Related posts