Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Android SSL Proxy - Works on browser but not on app

K | Last updated: Jan 08, 2018 07:24PM UTC

Hello, I'm trying to proxy traffic from an android application to Burp. I've setup the proxy on the mobile device's WiFi settings and imported the Burp CA certificate onto the android device. I'm able to see traffic from the android device when I use the device's web browser. However, when I try to intercept traffic from the mobile application I keep getting the message: "The client failed to negotiate an SSL connection to <target_host>: Received fatal alert: certificate_unkown" The app is using a series of web services so I'm assuming I should be able to see the traffic. Any ideas on what I could do to resolve this. Thanks in advance.

Liam, PortSwigger Agent | Last updated: Jan 09, 2018 09:47AM UTC

It's possible that the native apps are not using the CA certificate that you have installed on the device and which is being used by the your browser. Some native apps use their own certificate trust store, and some implement certificate pinning to only trust specific server-side certificates. In this situation, breaking the SSL tunnel is non-trivial and may entail jailbreaking the device or using some other advanced tools. Usually, we would advise setting up Android with ProxyDroid and FS Cert Installer to push HTTPS App traffic to Burp Suite: Reset burp suite Turn on listen to all interfaces Android Host: Remove all User Certs Stop task and remove data for ProxyDroid and FS Cert installer ( you can just uninstall reinstall ) Put the phone in airplane mode then turn on WIFI In FS Cert put in proxy IP and PORT then click the middle button Add CA and add it under WIFI Cert in the dropdown Then click test chain and it should all be green yes for www.google.com For Proxydroid just put in the IP and port and also tunnel DNS Kill or reinstall any apps before you start to make sure they go through the proxy properly However, it's also worth noting that Android have changed how they handle trusted certificate authorities (CAs): - https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.