Intercept App Traffic with Burp Suite

TL;DR

Yes, you can set up Burp Suite to intercept traffic from your client application (like a mobile app or desktop program). This lets you see and modify the data being sent between the app and its server. Here’s how.

Setting Up Burp Suite for App Traffic Interception

1. Install and Configure Burp Suite: If you haven’t already, download and install Burp Suite Community or Professional from PortSwigger’s website. Launch the application.
   • Go to Proxy > Options.
   • Under the Proxy Listeners tab, ensure a listener is running on a suitable port (default is 18089). Note this port number; you’ll need it later.
   • If necessary, add or edit a listener to bind to all interfaces (0.0.0.0) if you’re intercepting from a different machine.
2. Configure Your Application to Use Burp as a Proxy: This is the most variable step, depending on your application type.
   • Web Browser: Configure your browser’s proxy settings to use 127.0.0.1 (localhost) and the port you noted in Step 1 (usually 18089).
   • Mobile App (Android): Most Android apps don’t have built-in proxy settings. You will need a tool like:
     • Genymotion: A popular Android emulator with easy Burp integration. Configure Genymotion to use the Burp Suite proxy.
     • Frida: A dynamic instrumentation toolkit that allows you to modify app behavior, including setting up a proxy. This is more advanced.
     • Network Proxy Apps: Apps like HTTP Canary or Packet Capture can be configured to route traffic through Burp.
   • Mobile App (iOS): Similar to Android, iOS apps usually require a third-party tool:
     • Burp Suite’s built-in iOS proxy: Connect your iOS device to the same Wi-Fi network as your computer. In Burp Suite, go to Proxy > Options and configure the iOS proxy settings (you’ll need to install a configuration profile on your iPhone).
     • Proxyman: A dedicated macOS app for intercepting mobile traffic with good Burp integration.
   • Desktop Application: Some desktop apps allow you to configure a system-wide proxy or an application-specific proxy. Check the app’s settings.
3. Install Burp Suite’s CA Certificate (Important!): Apps using HTTPS will not trust Burp unless its certificate is installed as a trusted root authority on your device/emulator.
   • In Burp Suite, go to Proxy > Options and click “Import / export CA certificate”.
   • Download the certificate (usually in .der format).
   • Android: Install the certificate via Settings > Security > Encryption & credentials > Install a certificate. You may need to give your device a name and PIN.
   • iOS: Open the downloaded certificate on your iPhone/iPad. Follow the prompts to install it in Settings > General > VPN & Device Management.
   • Web Browser: Import the certificate into your browser’s trusted root certification authorities store (usually found in settings under Privacy and Security).
4. Verify Interception:
   • Start traffic generation in your application.
   • In Burp Suite, go to the Proxy > HTTP history tab.
   • You should see requests from your application appearing in the list. If not:
     • Double-check your proxy settings in both Burp and the app.
     • Ensure the CA certificate is correctly installed.
     • Restart the app and/or emulator.

Troubleshooting

• No Traffic: The most common issue. Verify proxy settings, CA certificate installation, and that your application is actually routing traffic through the configured proxy.
• Certificate Errors: Ensure Burp’s CA certificate is installed correctly on all devices/emulators accessing HTTPS resources.
• App Detects Proxy: Some apps actively detect and block proxies. You may need to use more advanced techniques like Frida or modify the app’s code (if possible).