Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Pen test on Android app using kali linux

Garry | Last updated: Oct 04, 2017 12:37PM UTC

Hi, I am new to mobile app pen test Can anyone summarize the steps for conducting pen test on android app using kali linux? Please point me to specific tutorials if that is required to be learnt as novice user Rds, Garry

Liam, PortSwigger Agent | Last updated: Oct 04, 2017 12:38PM UTC

You can follow these tutorials to set up your Android device with Burp Suite: - https://support.portswigger.net/customer/portal/articles/1841101-configuring-an-android-device-to-work-with-burp - https://support.portswigger.net/customer/portal/articles/1841102-Mobile%20Set-up_Android%20Device%20-%20Installing%20CA%20Certificate.html It's worth noting that some native apps use their own certificate trust store, and some implement certificate pinning to only trust specific server-side certificates. In this situation, breaking the SSL tunnel is non-trivial and may entail jailbreaking the device or using some other advanced tools. One of our users created a short video on the process for Android: https://vimeo.com/137672482 In the video they go over how to setup Android with ProxyDroid and FS Cert Installer to push HTTPS App traffic to Burp Suite. They also provided these basic instructions. Burp Suite Host: Reset burp suite Turn on listen to all interfaces Android Host: Remove all User Certs Stop task and remove data for ProxyDroid and FS Cert installer ( you can just uninstall reinstall ) Put the phone in airplane mode then turn on WIFI In FS Cert put in proxy IP and PORT then click the middle button Add CA and add it under WIFI Cert in the dropdown Then click test chain and it should all be green yes for www.google.com For Proxydroid just put in the IP and port and also tunnel DNS Kill or reinstall any apps before you start to make sure they go through the proxy properly Please let us know if you need any further assistance.

Burp User | Last updated: Oct 05, 2017 06:15AM UTC

Thanks Liam for the reply Tried accessing the videos :https://vimeo.com/137672482 But search results did not return any results. Please advice if video can be accessed in any other format like pdf ? Rds, Garry

Liam, PortSwigger Agent | Last updated: Oct 05, 2017 07:16AM UTC

Hi Gary Apologies, I hadn't realised the video had been removed. Which version of Android are you using?

Burp User | Last updated: Oct 05, 2017 11:42AM UTC

6.0.1

Liam, PortSwigger Agent | Last updated: Oct 05, 2017 12:47PM UTC

The steps detailed above should still work: Reset burp suite Turn on listen to all interfaces Android Host: Remove all User Certs Stop task and remove data for ProxyDroid and FS Cert installer ( you can just uninstall reinstall ) Put the phone in airplane mode then turn on WIFI In FS Cert put in proxy IP and PORT then click the middle button Add CA and add it under WIFI Cert in the dropdown Then click test chain and it should all be green yes for www.google.com For Proxydroid just put in the IP and port and also tunnel DNS Kill or reinstall any apps before you start to make sure they go through the proxy properly However, it's also worth noting that Android have changed how they handle trusted certificate authorities (CAs): - https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.