Everything seems to match specifications but the app does not work? Discover Burp Proxy — one of the best ways of debugging HTTP(S) traffic! Neither source code access nor development skills are needed.

If you have ever developed apps using HTTP(S) APIs you probably encountered situations when server answered with errors like 400 Bad Request error or your app failed to parse responses throwing exceptions with enigmatic messages like Unterminated string at line 1 column 57345 and you have no idea what is going on. Everything seems to match specifications but the app does not work. This article will explain one of the ways to debug such cases – Burp Proxy.

Burp Proxy — what is this?

What is Burp Proxy? The official documentation says:

Burp Proxy allows manual testers to intercept all requests and responses between the browser and the target application, even when HTTPS is being used.

In fact, we can replace a browser with any other app!

The limitation

Due to the Changes to Trusted Certificate Authorities in Android Nougat this tutorial may not be applicable in all the cases. Burp officially recommends using device with Android version older than Nougat or rooted one. However, if target SDK version is 23 or lower, mentioned behaviour changes are not applied. Even if a device has Android Nougat or newer or app targets API 24 or newer, the app can provide its own network security configuration. Moreover, HTTPS proxy won’t work if the app uses certificate pinning e.g. with okhttp.

Setup

Firstly, you need to download and launch Burp Suite (free, community edition is sufficient). Remember to whitelist Burp on the firewall if applicable. Then you can enable a proxy module:

Figure 1. Burp Proxy options window

Note that machine running proxy has to be accessible from your mobile device or AVD which you are testing on. E.g. they can be in the same WiFi network (wireless client isolation has to be disabled). Choose IP of the appropriate interface in Burp options and confirm using the OK button. Now proxy is running and we can configure the mobile device to use it. Go to WiFi settings, long press appropriate SSID (network name) and choose Modify network option. Then, you can enter proxy IP and port as shown in Figure 2.

Figure 2. SSID settings pop-up

If your app uses only HTTP, not HTTPS, that’s all the setup. However, in case of most modern apps, you need to follow the next section.

HTTPS

We need a little bit more steps to support HTTPS. Firstly, open a browser app on a mobile device, go to a proxy IP address and download CA certificate:

Figure 3. Proxy webpage

Then, change the extension of a CA certificate file to .cer (use .pem if it does not work in the next step).

Figure 4. CA certificate file rename

Finally, you can install a certificate. Go to security settings and find an option to install the certificate from storage. Exact location and name of this option vary between manufacturers and Android versions. Choose an appropriate file and install cert using Wi-Fi credential type:

Figure 5. CA certificate installation

Let’s inspect it

We’re all set for now and we can start debugging. We’ll try to inspect traffic of an official Wikipedia app. Note that we don’t need to modify an app and we even don’t require source code. Open the app and go to Proxy -> Intercept tab. What’s important, traffic from other apps running in the background will be also intercepted. You can use Forward button to pass it through. The sample result is shown in figure 6.

Figure 6. Proxy intercept tab

Interception can be disabled by clicking on Intercept is on the button. In such case, the proxy will forward everything. Note that all the request and responses, no matter if intercepted or not are listed in HTTP history tab:

Figure 7. HTTP history

We can see the whole request including HTTP headers. Apart from examining its contents, we can take several actions:

Drop –request won’t be sent to server

–request won’t be sent to server Modify — the whole area with contents is editable, content can be changed

Forward — request (maybe modified) will be sent to server

— request (maybe modified) will be sent to server Open Action menu — see figure 8.

Figure 8. Intercept actions

As you can see Burp suite has a lot of features (there are even books about it). The most important one for us is highlighted. If you choose it and forward the request, the response will be also intercepted. And it can be modified before it reaches the app.

Let’s change it

Now we know the most important theory, so let’s start some practice. For example, we can modify language-related headers in a request. To do that just edit Accept-Language and Host headers. In this example English (corresponding to the locale set on the device) is changed to French:

Figure 9. Request editor

After forwarding such request we get an app in English but with French content:

Figure 10. English app with French content

We can also modify responses. For example, we can insert additional text into articles:

Figure 11. Response editor

After forwarding such response, we can see that it is reflected in the app:

Figure 12. Modified Wikipedia

Wrap up

HTTP(S) proxy is quite a powerful tool. It allows you to examine, intercept and modify request and responses. It may help a lot in app debugging and can be used even on apps installed from stores. However, restrictions may exist if HTTPS is used on Android Nougat or newer, but Burp Proxy is coming to the rescue! Burp suits has a user-friendly windowed interface and it is super easy to use. Neither source code access nor development skills are needed.

Originally published at www.thedroidsonroids.com on December 6, 2017.