Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All
Documentation

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite
Extensibility

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility
Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Intercepting Android version 8.1 HTTPS Traffic

Spencer Feb 19, 2018 12:57AM UTC

Hi there,

I have a rooted Nexus 5x (Magisk rooted) with Android 8.1 installed. I have been trying to intercept traffic with Burp but I'm running into problems that I have never had before.

There are only a few HTTPS requests that I can seem to intercept. Both in FireFox and Chrome, I get a "certificate untrusted" error in one form or another and I can't connect to HTTPS websites. I've tried having the Burp CA installed at a User Certificate for VPN/Apps, for WiFi, and for both. None changed anything. I also tried moving the User Certificate into the System Certificates folder and I'm still running into the same issues.

I'm listening on my computer on it's own IP and an unused port, then putting the phone in airplane mode and turning wifi on, then setting the proxy settings.

Burp will intercept some traffic, but most fails SSL validation, even traffic in my browser which surprises me.

I've tried installing SSL Unpinner from Xposed framework, doesn't change anything. I tried Inspeckage from Xposed and it fails to hook any activity. The only thing I can think of that I haven't tried is Frida Framework, but it doesn't seem to be compatible with Android 8.1 from what I can tell.

If anyone has any ideas that would be very helpful! Thank you!


Liam Tai-Hogan Feb 19, 2018 04:07PM UTC Support Center agent

Android have changed how they handle trusted certificate authorities (CAs):

- https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html

We haven’t performed testing on this OS, however, there are some examples online:

- https://blog.nviso.be/2017/12/22/intercepting-https-traffic-from-apps-on-android-7-using-magisk-burp/

- https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/november/bypassing-androids-network-security-configuration/

Please let us know if you need any further assistance.


Alok Jain Jul 11, 2018 04:33AM UTC
Please provide an alternate to intercept HTTPS traffic of Android devices v7+ .

Also, request you to please mention detailed tutorial for other readers also.

Paul Johnston Jul 11, 2018 07:25AM UTC Support Center agent

Hi Alok,

The tutorial that users have most success with is this one:

- https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/

Just to be clear, Burp does not provide a “point and click” method to intercept these devices – this is an advanced topic where testers will need to manually configure the environment.


Shathish Ramraj Sep 14, 2018 06:44AM UTC
Could you please guide me to intercept the traffic of Android 8.1 Oreo with out root.

Liam Tai-Hogan Sep 14, 2018 06:57AM UTC Support Center agent

Since Android Nougat, Android no longer trusts user or admin supplied CA certificates. We recommend that you use an older version of Android for your testing. If you must use Android Nougat then you will need to install a trusted CA at the Android OS level on a rooted device or emulator.

Please let us know if you need any further assistance.


Post Your public answer

Your name
Your email address
Answer