Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Whatsapp and twitter MITM

giri | Last updated: Jul 20, 2017 09:30AM UTC

Dears, Can anyone please assist why cant i intercept Whatsapp or twitter packets from mobile device even after installing the burp certificate and unpinned the app.

Liam, PortSwigger Agent | Last updated: Jul 20, 2017 09:45AM UTC

It’s possible that the native apps are not using the CA certificate that you have installed on the device. Some native apps use their own certificate trust store, and some implement certificate pinning to only trust specific server-side certificates. In this situation, breaking the SSL tunnel is non-trivial and may entail jailbreaking the device or using some other advanced tools. Which mobile device are you using?

Burp User | Last updated: Jul 24, 2017 06:15AM UTC

Thanks for the reply. I am using lenovo (rooted).

Liam, PortSwigger Agent | Last updated: Jul 24, 2017 07:53AM UTC

One of our users created a short video on the process of setting up Android with ProxyDroid and FS Cert Installer to push HTTPS App traffic to Burp Suite: https://vimeo.com/137672482 They also provided these basic instructions. Burp Suite Host: • Reset burp suite • Turn on listen to all interfaces Android Host: • Remove all User Certs • Stop task and remove data for ProxyDroid and FS Cert installer ( you can just uninstall reinstall ) • Put the phone in airplane mode then turn on WIFI • In FS Cert put in proxy IP and PORT then click the middle button Add CA and add it under WIFI Cert in the dropdown • Then click test chain and it should all be green yes for www.google.com • For Proxydroid just put in the IP and port and also tunnel DNS • Kill or reinstall any apps before you start to make sure they go through the proxy properly Please let us know if you need any further assistance.

Burp User | Last updated: Jul 07, 2018 05:05PM UTC

Hi Liam Tai-Hogan, Your suggestion is not working. I have a rooted android device. HTTPS listening but Whatsapp, Twitter etc. app's not https listening, because there have own certificate. Do you have a new solution for this?

PortSwigger Agent | Last updated: Jul 09, 2018 07:12AM UTC

Hi Marco, We don't have a point and click solution to this. Intercepting apps like this is usually possible, but is an advanced technique and you should expect to do considerable manual work to achieve it. This blog is a good starting point: - https://blog.netspi.com/four-ways-bypass-android-ssl-verification-certificate-pinning/

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.