Man-in-the-Middle on Android

I’m trying to Man-in-the-Middle an Android application and have the following issue/question:

Currently, I’m using Burp and I’ve added the certificate as described here:

However, this did not enable me to browse HTTPS websites with Firefox, nor any other browser w/o getting a warning. I then went ahead and converted the certificate and added it in the phone’s system certificate folder. Now, it shows up as a system certificate and not as a user certificate but I’m still unable to browse HTTPS sites. Does the Burp certificate count as self-signed certificate?

Also, I’m trying to MITM an application and decrypt the network requests. I’ve done so in the past and Burp along with the certificate being installed as a user certificate did the trick. However, this time I’m not seeing any kind of traffic in Burp, but I do see traffic in Wireshark connecting to port 443.

I’m fairly certain that this cannot be certificate pinning getting in the way, because in the application I pass the certificate pinning test. So now, I’m really curious as to how I should set up Burp and what to expect…

I would be grateful for any kind of information regarding this issue…

There should be at least two certificates in play here. One for the CA, and one for the endpoint where you’re connecting signed by the CA. I’m not sure on the exact steps for this in Android, but once you’ve added the CA as an “authority”, then you should be able to use any certificates signed by it without getting that error.

It sounds like whatever application you’re using isn’t configured to pass traffic through the proxy also, or maybe it’s just refusing because of the certificate errors.

Here’s some steps on how to do this all manually with openssl if that helps.

1 Like

Firefox requires setting security.enterprise_roots.enabled to true in about:config to use custom certificate authorities - even if they’ve been imported into the system’s certificates. Unfortunately, they’ve disabled access to about:config in the Android version. I recall trying some workaround for this at some point, but it didn’t work. I would definitely like to know how to do this as well if it is possible.


I was able to add Burp’s certificate to Android’s system store by extracting it in DER format from Burp and then converting it to a PEM file. Then, I had to rename it according to Android’s specification and copy into the appropriate folder like so. (Root privileges on the device are assumed):

executing the following steps:

openssl x509 -inform der -in burpsuite.der -out burpsuite.pem
openssl x509 -inform PEM -subject_hash_old -in burpsuite.pem | head -1

mount -o rw,remount,rw /system
mv sdcard/<hash>.0 /system/etc/security/cacerts/
chown root:root <hash>.0
chmod 644 <hash>.0
mount -o ro,remount,ro /system

Now I am able to browse HTTPS websites with Chrome without a certificate related error. However, Firefox seems to use it’s own certificate store and Google Play apparently makes use of SSL pinning.

Oddly enough, I still didn’t see the application’s traffic and it still passed the certificate pinning test. As a result, I decided to experiment with a different testing setup. Usually, I change the phone’s WiFi setting and use a proxy to a machine in my network that’s running Burp. But this time, I used a Kali VM which has a WiFi dongle attached and I’m forwarding HTTP (port 80) and HTTPS (443) to the remote machine’s IP and selected ports like so:

sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 80 -j DNAT --to-destination <IP>:<PORT>
sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 443 -j DNAT --to-destination <IP>:<PORT>

Now, when I test the application I still don’t see any traffic but that’s because SSL pinning and therefore the certificate validation fails, which is not shown in Burp.

Yeah, I stumbled over that one as well. That’s just stupid in my opinion…