I was listening to a recent episode of Critical Thinking - Bug Bounty Podcast (Ep. 6) and the technique of using adb reverse to port forward across adb for traffic inspection came up. It’s a pretty nice way to stabilize and simplify your setup when inspecting traffic from an Android device through Burp Suite (or similar), so I want to do a quick write-up on it. It also feels like a good time to consolidate some of my device setup notes since I’ve noticed that all of that parts and pieces of getting a modern (Android 13) device with a version of Chrome >= 99 setup to inspect traffic through Burp Suite are a bit scattered. Hopefully putting things all in one place helps jump start other people getting their devices ready for pen testing and bug bounty research!

Quick Tip

If you already have an Android device setup with Burp Suite inspecting traffic over Wi-Fi, the quick tip is that you can remove Wi-Fi from the process entirely! Using adb reverse lets you avoid having to update your manual proxy settings to ensure that the IP of your Burp instance is up-to-date when DHCP is in play. Additionally, you don’t have to worry about your devices being on the same Wi-Fi networks as the device’s network traffic will route through adb over the USB cable.

The general syntax is:

adb reverse [--no-rebind] REMOTE LOCAL

and so a common use case would be:

adb reverse tcp:8080 tcp:8080

This will make it so that with a manual proxy of on your Android device, the traffic will proxy nicely through a default configuration of Burp Suite since it binds to on your computer. You can of course change the ports as needed for your setup1, but adb reverse tcp:8080 tcp:8080 works great for simple setups.

HOWTO - The Full Setup

If you don’t already have your Android device setup to proxy through Burp Suite, this part is for you! Having just gone through setting up a new device (a Pixel 7 running Android 13) these consolidated steps work great for me, and should be fairly generic for other devices running newer versions of Android as well.

Some pre-requisites to note:

  • A functional adb setup
    • XDA has a pretty good write up if you need some help
  • USB debugging is enabled and your device is rooted
    • I’m assuming you’ll have used Magisk or something similar. The process can vary between devices, you’ll have to figure out what works for your device. This guide worked well for a Pixel 7.

Configure Proxy Settings

  1. Navigate to Settings -> Network & internet -> Internet

  2. Tap your current access point name (APN), then edit the connection and tap the Advacned options drop-down.

  3. Change the Proxy setting to Manual, and set:
    Proxy hostname:
    Proxy port: 8080
  4. Then tap Save.

Download the Burp CA file

  1. Connect your phone to your computer, and fire up Burp Suite. Make sure Burp Intercept is off in the Proxy -> Intercept tab. Then flip to the Proxy -> HTTP History tab so you can see incoming requests.

  2. From your computer, start the adb port forwarding:
    adb reverse tcp:8080 tcp:8080
  3. On your device, in Chrome navigate to http://burp

  4. In the top right, click on CA Certificate. You should now have a cacert.der file in your Downloads folder.

  5. Transfer the CA cert over to your computer with:
    adb pull /storage/emulated/0/Download/cacert.der ./

Convert Burp CA from DER to PEM

This step converts the downloaded Burp CA cert to the correct format needed to install the CA as a system cert. 2

openssl x509 -inform DER -in cacert.der -out cacert.pem
export BURP_HASH=$(openssl x509 -inform PEM -subject_hash_old -in cacert.pem |head -1)
mv cacert.pem $BURP_HASH.0

Install the Burp CA certificate

This assumes your device is already rooted, and takes advantage of Magisk modules.3

adb push $BURP_HASH.0 /sdcard/
adb shell su -c mkdir -p /data/adb/modules/writable_system/system/etc/security/cacerts
adb shell su -c cp /sdcard/$BURP_HASH.0 /data/adb/modules/writable_system/system/etc/security/cacerts/
adb shell su -c chmod 644 /data/adb/modules/writable_system/system/etc/security/cacerts/$BURP_HASH.0

The above helps workaround some pretty common errors on newer versions of Android when it comes to attempting to make the file system writable. For example:

  • adb root: adbd cannot run as root in production builds
  • adb remount: /system/bin/sh: remount: inaccessible or not found
  • mount -o rw,remount /system: mount: ‘/system’ not in /proc/mounts
  • mount -o rw,remount /: ‘/dev/block/dm-7’ is read-only

Workaround Certificate Transparency checks in Chrome

Certificate transparency is enforced in Chrome for Android starting with Chrome 99. While generally a good thing for security, this prevents Chrome from loading pages proxied through Burp Suite, so a workaround is needed. 456

export SPKI_SIGNATURE=$(openssl x509 -inform der -in cacert.der -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64)

# Replace with your generated SPKI in step 1
FLAGS="chrome --ignore-certificate-errors-spki-list=$SPKI_SIGNATURE"

# Create the flag files
echo "${FLAGS}" | adb shell su -c tee /data/local/chrome-command-line /data/local/android-webview-command-line /data/local/webview-command-line /data/local/content-shell-command-line /data/local/tmp/chrome-command-line /data/local/tmp/android-webview-command-line /data/local/tmp/webview-command-line /data/local/tmp/content-shell-command-line

# Set permissions on flag files
echo 'chmod 555 /data/local/*-command-line /data/local/tmp/*-command-line' | adb shell su

Configure Chrome to use command line flags

adb shell settings put global adb_enabled 1
adb shell su -c settings put global debug_app

Restart Chrome

adb shell am force-stop
adb shell am start -n

Test it out!

Open up Chrome and visit your favorite website. You should see the traffic successfully intercepted by Burp in Proxy -> HTTP history!