Burp Suite can intercept mobile app traffic, but it’s not a simple proxy setup; it requires configuring both the Burp Suite listener and the mobile device’s network settings to route traffic through Burp.
Here’s how to set it up and see it in action:
First, start Burp Suite and configure its proxy listener. Go to the "Proxy" tab, then the "Options" sub-tab. You’ll see a list of proxy listeners. If there isn’t one already, click "Add." The default settings are usually fine: choose "All interfaces" for the binding address and 8080 for the port. This tells Burp to listen for incoming connections on all available network interfaces on your computer, on port 8080.
Next, you need to tell your mobile device to send its traffic to Burp. This is done by configuring the device’s Wi-Fi proxy settings. Connect your mobile device to the same Wi-Fi network as your computer running Burp Suite. On your Android device, go to Wi-Fi settings, long-press your connected network, and select "Modify network." Under "Advanced options," find "Proxy" and change it from "None" to "Manual." For the "Proxy hostname," enter the IP address of your computer running Burp Suite. You can find this by typing ipconfig (on Windows) or ifconfig (on macOS/Linux) in your terminal. For the "Proxy port," enter 8080, matching what you set in Burp. On iOS, go to Settings > Wi-Fi, tap the "i" icon next to your connected network, scroll down to "HTTP PROXY," and select "Manual." Enter your computer’s IP address for the server and 8080 for the port.
Now, to decrypt HTTPS traffic, you need to install Burp’s CA certificate on your mobile device. In Burp Suite, go to the "Proxy" tab, then the "Intercept is off" sub-tab. Click the "Import / export CA certificate" button. Select "Certificate in DER format" and click "Save." This will save cacert.der. You need to transfer this file to your mobile device. For Android, you can email it to yourself or use a cloud storage service. Once on your device, open the file. Android will prompt you to install it as a Wi-Fi certificate. You might need to set a screen lock (PIN, pattern, or password) if you don’t already have one. For iOS, you’ll typically need to email the certificate to yourself, open the email on your device, tap the attachment, and follow the prompts to install it. You’ll then need to go to Settings > General > About > Certificate Trust Settings and enable trust for the Burp Suite CA certificate.
With the proxy configured and the certificate installed, you can start intercepting. On your mobile device, open the app you want to test. Go back to Burp Suite and ensure "Intercept is on" in the "Proxy" > "Intercept" tab. Make a request within the mobile app (e.g., load a screen, perform an action). The request should appear in Burp Suite’s "Intercept" tab. You can then view, modify, and forward the request, or simply click "Forward" to let it pass through to the server.
Here’s a sample of what traffic might look like in Burp’s Proxy History tab after you’ve made a request in your app:
GET /api/users/profile HTTP/1.1
Host: api.example.com
User-Agent: MyApp/1.2.3 (Android; 30)
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Accept: application/json
This shows a GET request to api.example.com/api/users/profile, including headers like User-Agent identifying the app and Authorization for authentication.
The crucial part of intercepting mobile app traffic, especially for HTTPS, is the certificate installation. Without it, your device will show security warnings, and Burp won’t be able to decrypt the encrypted payloads. The system relies on the trust relationship established by installing Burp’s CA certificate, allowing it to act as a "man-in-the-middle" for inspection purposes without triggering the app’s or device’s security mechanisms.
The next hurdle you’ll likely encounter is applications that employ SSL pinning, which actively prevents interception by verifying the server’s certificate against a known, hardcoded certificate within the app itself.