Skip to main content

Configure an Intercept Proxy

You will need to configure your device to use an intercept proxy such as Burp Suite.

Installing Burp's Certificate -- Android 10 and older

The way Android handles certificates changed in Android 7. By design, the system will not trust a user CA certificate. So, trying import the Burp certificate as a user will not work any longer. Now we must install the Burp CA certificate in the System certificate store for it to be trusted. This will require a rooted device:

  • Start Burp on your computer

  • Grab the Burp certificate using curl

    curl -s --proxy http://127.0.0.1:8080 -o cacert.der <http://burp/cert>

  • Convert the certificate to a DER format

    openssl x509 -inform DER -in cacert.der -out cacert.pem

  • The Android device will expect the certificate as a hash of the certificate subject

    cp cacert.der $(openssl x509 -inform PEM -subject_hash_old -in cacert.pem |head -1).0

  • Push the hashed version to the device

    adb push $(openssl x509 -inform PEM -subject_hash_old -in cacert.pem |head -1).0 /sdcard/

  • Run these commands to move the certificate in place on the device

    adb shell 'su -c mount -o rw,remount /system'
    adb shell 'su -c mv /sdcard/*.0 /system/etc/security/cacerts'
    adb shell 'su -c chmod 644 /system/etc/security/cacerts/${CERTNAME}'
    adb shell 'su -c mount -o ro,remount /system'
    adb shell 'su -c reboot'

Installing Burp's Certificate -- Android 11 or newer

Android 11 has further restricted the trusted CA certificates. The filesystem that holds the cacerts directory is now a tmpfs mount, so the procedure above will no longer work. The best way to get the Burp certificate trusted in the System certificate store is to use Magisk and the AlwaysTrustUserCertificates module.

Install the Magisk Module

  • Download the "Always Trust User Certificates" Magisk module from https://github.com/NVISOsecurity/MagiskTrustUserCerts/releases

  • Copy that zip file to the device using adb push

    adb push AlwaysTrustUserCerts.zip /sdcard/Download/

  • Open the Magisk manager app, and tap on Modules

  • Tap the button at the top to "Install from storage"

  • Tap the AlwaysTrustUserCerts.zip file

  • Once the module is flashed, reboot the device

Install the CA Certificate

  • Export the certificate from Burp, and copy it to the device

    adb push burpca.crt /sdcard/Download/

  • On the device, Open the Settings app then go to Security Encryption & credentials Install a certificate CA certificate

  • Accept the big, scary "Your data won't be private" message by tapping on "Install anyway"

  • Tap on the burpca.crt file (or whatever you named yours)

  • The certificate will then be installed into the User certificate store, but we need to have it trusted in the System certificate store

  • On the User tab, verify that the PortSwigger certificate is installed

  • Reboot the device (this forces the module installed above to copy the certificates into the System certificate store

  • When the device comes back up, launch the Settings app again and go to Security Encryption & credentials Trusted credentials

  • On the System tab, scroll down to verify that the PortSwigger certificate is there

  • With this module enabled, your Burp certificate will be copied every time the device boots up