Burp Suite

This article primarily focuses on configuring your local workstation, addressing internal networking considerations, and setting up the device to enable traffic proxying. Note that third-party apps may implement defense mechanisms such as certificate pinning to prevent traffic inspection. For security research purposes, the built-in network monitor or Frida scripts can be used in this scenario.

We'll cover the following using Burp Suite as the MITM proxy tool:

• Proxying traffic on both Android and iOS devices hosted in the cloud, with and without the Corellium VPN, including networking considerations for each method to work.
• Using Safari on iOS and the Webview Shell on Android to generate traffic.

You can download a version of Burp Suite here.

Proxy Traffic using the VPN

In the upcoming steps for this section, we'll assume you've connected to the Corellium VPN using the OpenVPN configuration file provided for the device's project in the web interface.

Network Considerations

If your local workstation is behind an enterprise network with strict firewall policies or is required to be connected to an internal VPN, you may not be able to proxy traffic from the device with the Corellium VPN without additional network configurations. Please review our VPN guide which explains what these additional configurations would look like.

Configure Burp Suite

The Burp Suite configuration is the same, whether you're using an Android or iOS device, and whether or not you're using the Corellium VPN.

We’ll bind the Burp Proxy listener to port 8080 and set the address to "All Interfaces." With this proxy listener configuration, HTTP(S) traffic will be accepted from any IP address that can reach the machine, as long as it's routed to the specified port and given your internal networking is not blocking traffic.

1. In Burp Suite and navigate to Proxy -> Proxy Settings -> then edit the Proxy listener to bind to port 8080 and to listen on all interfaces.

2. Ensure the proxy listener is running.

Export a Burp CA Certificate

In Burp Suite, navigate to Proxy -> Proxy Settings -> then under Proxy listeners, select Import / export CA certificate then export the certificate in DER format. The file name should have the .cer file extension.

Moving forward, we'll reference ours as "BurpCA.cer".

Proxy Traffic on Rooted Android

With Burp configured and the Burp CA certifcate exported, we'll need to set up the device to properly proxy traffic through the Burp Suite proxy. We'll be using a rooted Android 14 for this example.

To get the CA certificate properly on the device, you can either:

A) Push the exported Burp certificate into /mnt/sdcard/Download and install the certificate through the Android settings. Refer to the video guide for this method.

B) Continue following the below steps to accomplish this from the terminal instead.

note

The following steps require standard OpenSSL and adb commands to be available.

1. Android expects certificates in PEM format and to be named using their subject hash, so first we'll convert the exported certificate into PEM format.

   openssl x509 -inform DER -in /path/to/BurpCA.cer -out /path/to/BurpCA.pem

2. Then we'll rename the BurpCA.pem file to its subject hash based on the output of this command.

   openssl x509 -inform PEM -subject_hash_old -in /path/to/BurpCA.pem | head -1

   We also need to add a .0 to the end of the file, this tells the system that it’s the primary certificate for that subject hash which allows the system to recognize and load the certificate properly.

   mv /path/to/BurpCA.pem <certificate subject hash>.0

   Our certificate subject hash value is 9a5ba575 so our new name would be 9a5ba575.0.

3. With the certificate renamed to the subject hash, we need to drop this file into the device's system wide trusted certificates.

   First, run the adb connect command for your Android device that uses the VPN connection located in the Connect tab in the web interface:

   adb connect <VPN_ID>:5001 

   Run:

   adb root

   Then push the renamed certificate:

   adb push 9a5ba575.0 /system/etc/security/cacerts/

   You can verify the permissions of the certificate, it should already contain the necessary permissions:

   adb shell ls -l /system/etc/security/cacerts/9a5ba575.0
   -rw-r--r-- 1 root root 1326 2024-12-11 18:57 /system/etc/security/cacerts/9a5ba575.0

   Then we can copy the file to the system wide trusted certificate file path location.

   cp /data/local/tmp/9a5ba575.0 /system/etc/security/cacerts/

4. Set up the HTTP proxy on the device.

   Our example would look like this:

   adb shell settings put global http_proxy 10.11.3.2:8080

   10.11.3.2 is the IP address assigned to our VPN connection and 8080 is the port we used to bind the Burp proxy listener to.

5. You should now be able to proxy traffic from the device.

Proxy Traffic on Non-Rooted Android

We'll be using the same Burp Suite configuration as shown previously with a non-rooted Android 14 device.

1. Run the adb connect command for your device found under the VPN section in the "Connect" tab in the web interface.

2. On the Android device, confirm that you have allowed USB debugging when prompted.

3. Push the CA certificate to the device:

   adb push BurpCA.cer /sdcard/Download

4. Install the certificate on the device. For an Android running version 14.0.0, open the Android settings app and navigate to Security -> Security and privacy -> More security & privacy -> Encryption & credentials -> Install a certificate -> click "CA certificate" -> click "Install Anyway" then go to "Downloads" and click on the Burp CA certificate to install it, you should see the device reboot.

   note

   The exact places to click to install the certificate through the Android settings can vary depending on the firmware version being used.

5. Set up the HTTP proxy on the device.

   Our example would look like this:

   adb shell settings put global http_proxy 10.11.3.2:8080

   10.11.3.2 is the IP address assigned to our VPN connection and 8080 is the port we used to bind the Burp proxy listener to.

6. Traffic can now be proxied from the device.

Proxy Traffic on Jailbroken iOS

Jailbroken iOS devices do not require the CA certificate installed on the device to start intercepting traffic from Safari. We'll be using a jailbroken iPhone 14 running iOS 18 to demonstrate this.

1. Using the same Burp configuration, set the HTTP proxy on the device by opening the iOS settings app -> Wi-Fi -> click the (i) next to the Corellium network -> click "Configure Proxy".

2. Configure the proxy port to the same port the Burp proxy listener is binded and to point the address to the same IP address assigned to your VPN connection.

3. We can now begin intercepting traffic.

Proxy Traffic on Non-Jailbroken iOS

With the VPN connection and Burp Suite configured, we will need to download and install the CA certificate on the non-jailbroken iOS device. We'll be using a non-jailbroken iPhone 14 running 18.0.

A) Mail the certificate to your inbox and download it.

B) Serve the certificate over a web server to the device. Download the certificate through the directory listing.

For option B, this is straight forward:

1. Start the web server from the same directory that the CA certificate is.

   python3 -m http.server <port>

2. Ensure you can reach the device through the VPN connection.

3. In Safari on the device, access the web server to download the certificate:

   <vpn_ip>:<web_server_port>

4. Once you have the certificate downloaded, install it by opening iOS Settings -> General -> VPN & Device Management -> Select the "PortSwigger CA" configuration profile -> Install the Certificate.

5. Ensure the certificate is also trusted. While in iOS Settings -> General -> About -> Enable full trust for the "Port Swigger CA" certificate.

6. Configure the HTTP proxy as show in the jailbroken iOS section.

   • Port: 8080
   • Address: vpn_ip

7. Traffic can now be intercepted.

Proxy Traffic without the VPN

Exluding the non-jailbroken device example, the following steps require you to add a public to your project's authorized keys so you can properly authenticate with the respective proxy server, will only work for devices that were created after adding your public key to the project's authorized keys.

We'll be using the same Burp Configuration and CA certificate we exported previously for these examples.

Network Considerations

• Except for non-jailbroken devices, you must be able to reach and authenticate with the respective proxy server (allowing outbound SSH traffic port 22).

  • Run the "Quick Connect" commands for applicable devices to test this, you should be able to SSH into the device for iOS or adb shell for Android without the VPN.

• Assuming you are proxying traffic over port 8080, outbound/inbound traffic to this port on your local workstation should not be blocked.

Proxy Traffic on Rooted Android

Following steps were done on rooted Android 14.

1. Run the Android "Quick Connect" command found in the web interface for your device. Our device is on Enterprise cloud so this is the example command for our device:

   ssh -M -Ssock -N -f -L 5001:10.11.1.50:5001 f5cdda72-e391-4582-ab8f-adbfa64ae8d2@proxy.enterprise.corellium.com

2. Run the following adb connect command:

   adb connect localhost:5001

3. Assuming you have the Burp certificate exported as shown previous, follow the steps in Proxy Traffic on Rooted Android to convert your certificate to PEM format and named properly.

   Push the certificate to the device:

   adb push 9a5ba575.0 /system/etc/security/cacerts/

4. Set up port forwarding on the device to send the HTTP traffic into Burp running locally:

   adb reverse tcp:8080 tcp:8080

5. Configure the HTTP proxy on the device:

   adb shell settings put global http_proxy localhost:8080

6. We can now start intercepting traffic.

7. When finished, cleanly close the SSH multiplexed session. Command is also found in the "Quick Connection" tab web interface:

   If on Enterprise:

   ssh -Ssock -O exit proxy.enterprise.corellium.com

   If on Individual:

   ssh -Ssock -O exit proxy.corellium.com

Proxy Traffic on Non-Rooted Android

Following steps were done on non-rooted Android 14.

1. Except for the certificate steps, we'll be using the same steps outlined in the rooted Android section for proxying without a VPN.

2. Install the CA certificate the same way as show in the previous non-rooted Android section.

3. Using the same example Burp Suite configuration, traffic can be intercepted from the device.

Proxy Traffic on Jailbroken iOS

In this example we used a jailbroken iPhone 14 running iOS 18.0.

1. Run the SSH reverse tunnel command from your local workstation, requires you use a device that was created after adding a public key your project's authorized keys.

   MacOS/Linux:

   ssh -M -Ssock -N -f -R 8080:localhost:8080 -J <project_id>@<proxy_server> root@<device's_services_ip>

   Windows Powershell:

   ssh -M -S C:\path\for\control_sock -N -f -R 8080:localhost:8080 -J <project_id>@<proxy_server> root@<device's_services_ip>
   • proxy.corellium.com - Individual domain proxy server
   • proxy.enterprise.corellium.com - Enterprise domain proxy server

2. Set the HTTP proxy on the device to point to 127.0.0.1 and port 8080:

3. Using the same example Burp Suite configuration, we are able to start intercepting traffic.

4. Clean up the SSH control session:

   MacOS/Linux:

   ssh -S sock -O exit root@<device's_services_ip>

   Stop the SSH processes in Windows Powershell:

   Stop-Process -Name ssh Force

Proxy Traffic on Non-Jailbroken iOS

Considering we don't have the ability to SSH into non-jailbroken devices, we'll need to take a different approach. We'll be using a non-jailbroken iPhone 14 running iOS 18.0 for this example.

For this example, your local workstation's public ip address needs to be accessible to the internet. If possible, you can configure this in your network router settings through the router's web interface.

If your local workstation is required to be behind an internal VPN, you could consider using split tunneling to exclude traffic to specific IP addresses and the port used by Burp Suite from being routed through the VPN.

1. Configure IP Passthrough in the router settings to forward all traffic from your public IP to your workstation's internal IP. Ensure the internal IP address is static and uniquely identifies your local workstation within the network.

   Once set up, confirm you can ping your public IP address from an external network like from the iOS device.

2. To download the Burp CA certificate on the device, you can serve the certificate over a web server now that the workstation public IP is accessible through the internet.

   Start a web in the directory where the certificate is located:

   python3 -m http.server <port>

   You can verify if a given port is open and accessible from the internet through your public IP using https://canyouseeme.org/, requires a service running on the specified port.

   To access the web server on the iOS device in Safari:

   <workstation_public_ip>:<web_server_port>

   Find and download the certificate from the directory listing.

3. Follow the previous section Proxy Traffic on Non-Jailbroken iOS for installing and trusting the certificate on the device.

4. Configure the HTTP proxy on the device:

   • Address: <workstation_public_ip>
   • Port: <proxy_listener_port>

5. Traffic can now be proxied from the device.

Troubleshoot Traffic Not Appearing in Burp Suite

If you've confirmed your configurations are correct based on the examples and you are not able to proxy traffic from Safari or WebView, there are likely internal network configurations preventing traffic from being proxied. Review the respective Network Considerations for the method being used to understand how to configure your internal network.