Configuring Android Emulator with Burp Suite

In this guide we will be configuring an Android Virtual Device (AVD) that will be able to proxy traffic through Burp Suite through HTTP and HTTPS. The difference between this guide and configuring-android-emulator-with-burp-suite-for-htb-challenges is the way certificates are installed on the AVD. This guide is to show how to setup a certificate under SYSTEM Trusted Credentials.

The tools we will setup will be:

First let’s install Android Studio. This will allow us to create emulators for testing.

https://developer.android.com/studio

Once Android Studio is downloaded you can install it via the installation executable. Android Studio can be installed on Windows, MacOS, and Linux.

Next we will install Android Debug Bridge (ADB). *Note this should be with the Android Studio SDK that was already installed.

We should add the platform-tools directory to your User Path to access ADB from the command line without specifying the path.

For Windows it should be:

%USERPROFILE%\AppData\Local\Android\sdk\platform-tools

You will need to restart CMD after updating your User Path Variable. But afterwords you should be able to run adb without issue.

You should also include the emulator path in the User Path so we can run emulator from CMD.

%USERPROFILE%\AppData\Local\Android\sdk\emulator

Again restart CMD, but now we should be able to run emulator.exe.

Next we will install Burp Suite.

https://portswigger.net/burp/communitydownload

The first program we will setup is Android Studio. This will allow us to create emulators for Android Devices.

When starting Android Studio for the first time we will need to create a project.

I will name the Project Android Pentesting.

Click the phone with Android Icon in the Top Right Corner.

Click on “Add a new device…”

Next select Create Virtual Device.

Feel free to experiment with this section. You can setup multiple devices with access to the Play Store and specify the API. For the purpose of this guide I will be using a Google Pixel 6 device that does not have access to the Play Store. *Note that a device with the Google Play Store cannot be rooted. Devices without the Play Store Icon are rooted devices.

The next step is to select the API Version. I will be using Tiramisu version 33. You will need to download the system image.

The last step for this will be naming our device. I chose Pentesting Device. You can name it whatever you prefer. Now Click Finish to create the Android Virtual Device (AVD).

Now we can click the Play button on the right side and our emulator should display. It might take a few minutes on the first boot.

Now we have a device to do Android pentesting on.

Next we can get Burp Suite setup. You can use either Community or Pro.

The first step to get Burp to work with Emulator (or physical device if that is what you are using) is to configure the Proxy Listener.

Click on the Proxy Menu and then click Proxy Settings.

Next click on the 127.0.0.1:8080 and click the Edit button.

Change the Bind to address to All interfaces.

Back on our phone we want to open the Settings on our Pixel device.

From the Settings we want to open Network & Internet.

Next we want to select Internet.

Now click AndroidWifi.

Now click the pencil icon in the top right. Then click Advanced options drop down. We want to configure our Proxy so traffic can route to Burp.

Here we can setup our proxy on our virtual device. We will need to use our Burp host machines IP Address. Mine is 192.168.0.52. You will need to gather your host IP Address from ipconfig/ifconfig/ip addr.

The port will be 8080. This is the Burp Default port.

Now click Save.

Back in Burp we can see traffic flowing through. This is only for HTTP traffic at this point. Our next step will be implementing HTTPS traffic through Burp with the Burp certificate.

Back in the Proxy Listeners section we can click “Import / export CA certificate”. Click on that and then Export Certificate in DER format.

Save the certificate onto your host machine. I named my certificate burp.der.

We need the certificate to be in PEM format and to have the filename equal to the hash value appended with .0 as shown below.

Here are the openssl commands.

openssl x509 -inform DER -in burp.der -out burp.pem

openssl x509 -inform PEM -subject_hash_old -in burp.pem |head -1

mv burp.pem <hash output>.0

The next step will be using Android Bridge to transfer the certificate to our device and open our emulator as a writable system.

You will need to shutdown your device now and we will reboot our device with the emulator command and make it a writable-system.

Using emulator -list-avds we can see our Pentesting_Device.

Now using emulator -avd Pentesting_Device -writable-system, we can start the pentesting device as a writable system.

Open another cmd prompt. We will send the certificate to the /sdcard/ of our device. We will need to run this as root and remount the device.

adb root

adb remount

adb push <hash>.0 /sdcard/

Now reboot the device with adb reboot and then start the device again with emulator -avd Pentesting_Device -writable-system.

Next we will check to make sure are rebooted device is running with root and that the remount is good with the previous adb root and adb remount command. Then connect with adb shell.

Finally we will move the certificate from /sdcard/ to /system/etc/security/cacerts/9a5ba575.0 and change the permissions with chown and chmod.

adb root

adb shell

mv /sdcard/<hash>.0 /system/etc/security/cacerts/

chmod 644 /system/etc/security/cacerts/<hash>.0

chown root:root /system/etc/security/cacerts/<hash>.0

Reboot the device and re-run emulator -avd Pentesting_Device -writable-system. After rebooting the device you should see the PortSwigger listed under Trusted Credentials.

We should now verify that HTTPS traffic is now navigating through Burp Suite. This means we can now analyze and test HTTPS traffic.

If you are having issues please retrace your steps and try rebooting the emulator and Burp if needed.

adb remount might also need to run again and start the emulator with emulator -avd Pentesting_Device -writable-system.

That completes Configuring Android Emulator with Burp Suite Guide.

If you found this helpful, please send me a tweet and tell me what you thought! Feedback is always appreciated!

Jarrod