Using adb reverse to intercept Android traffic with Burp
Intro
I was listening to a recent episode of Critical Thinking - Bug Bounty Podcast (Ep. 6)
and the technique of using adb reverse to port forward across adb for traffic inspection came up.
It’s a pretty nice way to stabilize and simplify your setup when inspecting traffic from an Android device through Burp Suite (or similar), so I want to do a quick write-up on it.
It also feels like a good time to consolidate some of my device setup notes since I’ve noticed that all of that parts
and pieces of getting a modern (Android 13) device with a version of Chrome >= 99 setup to inspect traffic
through Burp Suite are a bit scattered. Hopefully putting things all in one place helps jump start other people getting
their devices ready for pen testing and bug bounty research!
Quick Tip
If you already have an Android device setup with Burp Suite inspecting traffic over Wi-Fi, the quick tip is that you can
remove Wi-Fi from the process entirely! Using adb reverse lets you avoid having to update your manual proxy settings
to ensure that the IP of your Burp instance is up-to-date when DHCP is in play. Additionally, you don’t have to worry
about your devices being on the same Wi-Fi networks as the device’s network traffic will route through adb over the
USB cable.
The general syntax is:
adb reverse [--no-rebind] REMOTE LOCAL
and so a common use case would be:
adb reverse tcp:8080 tcp:8080
This will make it so that with a manual proxy of 127.0.0.1:8080 on your Android device, the traffic will proxy
nicely through a default configuration of Burp Suite since it binds to 127.0.0.1:8080 on your computer. You can
of course change the ports as needed for your setup1, but adb reverse tcp:8080 tcp:8080 works great for simple setups.
HOWTO - The Full Setup
If you don’t already have your Android device setup to proxy through Burp Suite, this part is for you! Having just gone through setting up a new device (a Pixel 7 running Android 13) these consolidated steps work great for me, and should be fairly generic for other devices running newer versions of Android as well.
Some pre-requisites to note:
- A functional
adbsetup- XDA has a pretty good write up if you need some help
- USB debugging is enabled and your device is rooted
- I’m assuming you’ll have used Magisk or something similar. The process can vary between devices, you’ll have to figure out what works for your device. This guide worked well for a Pixel 7.
Configure Proxy Settings
-
Navigate to
Settings -> Network & internet -> Internet -
Tap your current access point name (APN), then edit the connection and tap the
Advacned optionsdrop-down. - Change the
Proxysetting toManual, and set:Proxy hostname: 127.0.0.1 Proxy port: 8080 - Then tap
Save.
Download the Burp CA file
-
Connect your phone to your computer, and fire up Burp Suite. Make sure Burp Intercept is off in the
Proxy -> Intercepttab. Then flip to theProxy -> HTTP Historytab so you can see incoming requests. - From your computer, start the adb port forwarding:
adb reverse tcp:8080 tcp:8080 -
On your device, in Chrome navigate to
http://burp -
In the top right, click on
CA Certificate. You should now have a cacert.der file in your Downloads folder. - Transfer the CA cert over to your computer with:
adb pull /storage/emulated/0/Download/cacert.der ./
Convert Burp CA from DER to PEM
This step converts the downloaded Burp CA cert to the correct format needed to install the CA as a system cert. 2
openssl x509 -inform DER -in cacert.der -out cacert.pem
export BURP_HASH=$(openssl x509 -inform PEM -subject_hash_old -in cacert.pem |head -1)
mv cacert.pem $BURP_HASH.0
Install the Burp CA certificate
This assumes your device is already rooted, and takes advantage of Magisk modules.3
adb push $BURP_HASH.0 /sdcard/
adb shell su -c mkdir -p /data/adb/modules/writable_system/system/etc/security/cacerts
adb shell su -c cp /sdcard/$BURP_HASH.0 /data/adb/modules/writable_system/system/etc/security/cacerts/
adb shell su -c chmod 644 /data/adb/modules/writable_system/system/etc/security/cacerts/$BURP_HASH.0
The above helps workaround some pretty common errors on newer versions of Android when it comes to attempting to make the file system writable. For example:
adb root: adbd cannot run as root in production buildsadb remount: /system/bin/sh: remount: inaccessible or not foundmount -o rw,remount /system: mount: ‘/system’ not in /proc/mountsmount -o rw,remount /: ‘/dev/block/dm-7’ is read-only
Workaround Certificate Transparency checks in Chrome
Certificate transparency is enforced in Chrome for Android starting with Chrome 99. While generally a good thing for security, this prevents Chrome from loading pages proxied through Burp Suite, so a workaround is needed. 456
export SPKI_SIGNATURE=$(openssl x509 -inform der -in cacert.der -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64)
# Replace with your generated SPKI in step 1
FLAGS="chrome --ignore-certificate-errors-spki-list=$SPKI_SIGNATURE"
# Create the flag files
echo "${FLAGS}" | adb shell su -c tee /data/local/chrome-command-line /data/local/android-webview-command-line /data/local/webview-command-line /data/local/content-shell-command-line /data/local/tmp/chrome-command-line /data/local/tmp/android-webview-command-line /data/local/tmp/webview-command-line /data/local/tmp/content-shell-command-line
# Set permissions on flag files
echo 'chmod 555 /data/local/*-command-line /data/local/tmp/*-command-line' | adb shell su
Configure Chrome to use command line flags
adb shell settings put global adb_enabled 1
adb shell su -c settings put global debug_app com.android.chrome
Restart Chrome
adb shell am force-stop com.android.chrome
adb shell am start -n com.android.chrome/com.google.android.apps.chrome.Main
Test it out!
Open up Chrome and visit your favorite website. You should see the traffic successfully intercepted by Burp in Proxy -> HTTP history!