Burp Suite & WhatsApp: Intercepting Traffic

TL;DR

This guide shows you how to use Burp Suite to intercept and examine the traffic between your phone and WhatsApp. This is useful for security testing, understanding the protocol, or debugging issues.

Prerequisites

• A computer running Burp Suite (Community Edition is sufficient).
• An Android or iOS device with WhatsApp installed.
• USB cable to connect your phone to your computer.

Step 1: Configure Burp Suite

1. Start Burp Suite and ensure the Proxy is running (usually on 127.0.0.1:8080). Check this under the ‘Proxy’ tab, then ‘Options’.
2. Download your device’s CA certificate. In Burp Suite, go to ‘Proxy’ -> ‘Options’ and click ‘Import / export CA certificate’. Save the certificate (usually a .der file) to your computer.

Step 2: Install the Certificate on Your Android Device

1. Connect your phone to your computer via USB. Make sure you have enabled ‘USB debugging’ in Developer Options. (To enable Developer Options, go to Settings -> About Phone and tap ‘Build number’ seven times).
2. Transfer the CA certificate to your phone’s internal storage. You can use a file manager app or Android File Transfer on macOS.
3. Install the certificate: Go to Settings -> Security (or Biometrics and security) -> Encryption & credentials -> Install a certificate. You may need to select ‘CA certificate’ from a dropdown menu. You’ll likely be prompted for your PIN, pattern or password. Warning: Android versions vary significantly; you might have to search online for specific instructions for your device model.
4. Trust the Certificate: After installation, ensure the certificate is trusted. This may involve going back into Security settings and explicitly trusting it.

Step 3: Configure WhatsApp to Use Burp Suite’s Proxy

1. Connect your phone to the same Wi-Fi network as your computer. Find your computer’s IP address (e.g., using

   ipconfig

   on Windows or

   ifconfig

   on Linux/macOS).

2. Configure WhatsApp’s proxy settings: This is the trickiest part as WhatsApp doesn’t have a direct proxy setting in its UI. You’ll need to use an app like Packet Capture or similar network configuration apps from the Google Play Store. These apps allow you to set a custom HTTP/HTTPS proxy for all traffic, including WhatsApp.
3. Set the proxy host to your computer’s IP address and port to 8080.

Step 4: Intercept Traffic in Burp Suite

1. Start capturing traffic in Burp Suite by going to the ‘Proxy’ tab and ensuring ‘Intercept is on’.
2. Open WhatsApp on your phone and perform an action you want to intercept (e.g., send a message, make a call).
3. Examine the traffic in Burp Suite’s HTTP history. You should see requests related to WhatsApp appearing.

Step 5: Troubleshooting

• Certificate not trusted: Double-check that you’ve installed and *trusted* the CA certificate on your phone. Restarting your phone can sometimes help.
• No traffic appearing in Burp Suite: Verify that WhatsApp is actually using the proxy settings you configured (using Packet Capture or similar). Ensure your computer and phone are on the same Wi-Fi network. Check your firewall isn’t blocking connections to port 8080.
• HTTPS issues: Burp Suite needs its CA certificate installed correctly for HTTPS interception to work.