Intercept HTTPS Traffic from Android App — AndroGoat -Part 1

In previous article I have shown how to intercept HTTP traffic from Android app. Now, in this section we will learn how to intercept HTTPS traffic from Android app in Android OS 6.0(API 23) or below. The extra step here is to add proxy certificate to trusted certificates list in mobile device.

Why proxy certificate should be installed in mobile device?

When we try to intercept HTTPS traffic of a web application through a man-in-the-middle attack, browser will show notification that the communication may be at risk. There are similar notifications in Mobile browsers. But these notifications are not shown in Mobile apps and prevents us from capturing HTTPS traffic.
So Burp root certificate should be added as trusted certificate on the mobile device. This allows proxy tool to capture all HTTPS traffic from mobile device.

Burp generates self-signed certificates for every host that app is trying to connect. However, Burp certificate is not a trusted certificate by mobile device. Trusted certificate list can be viewed from Settings → Security → Trusted Credentials.

How to Install Proxy Certificate?
1. Launch Burp Suite and configure proxy settings as discussed in “Intercept HTTP Traffic from Android App — AndroGoat”
2. In Mobile Device, open any browser and visit
http://<Laptop-IP>:<Burp Port>
E.g: http://192.168.0.100:8090

3. Click ‘CA Certificate’ to download Burp root
4. Install Burp Certificate

5. Now this user installed certificate can be viewed in Settings → Security → Trusted Credentials → User

How to Intercept HTTPS traffic?
1. Configure proxy in Mobile Device as discussed in “Intercept HTTP Traffic from Android App — AndroGoat”
2. Launch AndroGoat → Network Intercepting → Tap on ‘HTTPS’ button.

3. You can see HTTPS request captured in proxy.

With this we have completed “Objective 2.1. Intercept traffic in Android API 23 (version 6 Marshmallow) or below” in AndroGoat.
In next section we will see how to intercept traffic from Android devices with API 24(version 7 Nougat) or above.

Connect with me on GitHub and Twitter for more insights, updates and tools.