# Burp + Genymotion — Intercepting Android App Traffic **Guide & write-up by:** ChatGPT (your guide) > This article explains how to configure Burp Suite and a Genymotion virtual device so you can intercept Android app traffic. It includes step-by-step commands, a user vs system certificate explanation, and troubleshooting notes. Drop this into HackMD as-is. --- ## Quick TL;DR 1. Start Burp and add a proxy listener on **8080** (listen on all interfaces). 2. Export Burp’s CA certificate in **DER** format (`burp_cert.der`). 3. Point the Genymotion device’s global proxy to **10.0.3.2:8080** (VirtualBox host loopback). 4. Install the Burp CA on the virtual device (user install), or push it into `/system/etc/security/cacerts/` (system install) if the image is rooted. 5. Test by browsing from the device and watching Burp’s Proxy → HTTP history. --- ## Background / Why this works * Genymotion (Desktop) uses VirtualBox networking by default and exposes the host loopback as `10.0.3.2` inside the guest. That lets the VM reach services bound to `localhost` on the host. * Burp generates a local CA which must be trusted by the Android device to intercept HTTPS traffic. Installing the CA as a *user* certificate will enable interception for many apps, but some apps (or apps using Android Network Security Config) will ignore user CAs — in that case a *system* CA is needed (requires a writable `/system` and root). --- ## Step-by-step (copy-paste friendly) ### 1) Configure Burp 1. Open **Proxy → Options → Proxy Listeners**. Add or edit a listener on **Port 8080** and bind it to **All interfaces** (or at minimum `127.0.0.1` if you plan to use `adb reverse`). 2. Export the Burp CA: **Proxy → Options → Import / export CA certificate → Export → Certificate in DER format** → save `burp_cert.der`. ### 2) Make the host reachable from Genymotion * For Genymotion Desktop (VirtualBox): use `10.0.3.2` as the host address from inside the VM. Therefore, if Burp listens on `*:8080`, the device can reach it at `10.0.3.2:8080`. ### 3) Set the Android global proxy (adb) Run the following on your host (with the device connected via ADB): ```bash adb devices # confirm device is connected adb shell settings put global http_proxy 10.0.3.2:8080 # verify adb shell settings get global http_proxy ``` To remove the proxy later: ```bash adb shell settings put global http_proxy :0 # or adb shell settings delete global http_proxy adb shell settings delete global global_http_proxy_host adb shell settings delete global global_http_proxy_port ``` > If you are using a QEMU-backed VM (not VirtualBox), use `adb reverse` instead: set the device proxy to `localhost:3333` and run `adb reverse tcp:3333 tcp:8080` on the host. ### 4) Install Burp’s CA certificate on the virtual device **Option A — User install (no root needed)** 1. Drag-and-drop `burp_cert.der` into the Genymotion window or push it into `/sdcard/Download/`: ```bash adb push burp_cert.der /sdcard/Download/ ``` 2. On the virtual device: **Settings → Security → Install from storage** (or `Install certificates`) → choose `burp_cert.der` and install. **Limitations:** Starting with newer Android versions and apps that use Network Security Configuration, user-installed CAs may be ignored by apps. If the app still refuses to trust the Burp CA, proceed to a system install. **Option B — System install (requires root & remount of /system)** 1. Get the subject hash and rename the cert to `<hash>.0`: ```bash openssl x509 -inform DER -in burp_cert.der -subject_hash_old -noout # Example output: 9a5ba575 mv burp_cert.der 9a5ba575.0 ``` 2. Push to system CA folder and set permissions (Genymotion images are often rootable): ```bash adb root adb remount adb push 9a5ba575.0 /system/etc/security/cacerts/9a5ba575.0 adb shell "chmod 644 /system/etc/security/cacerts/9a5ba575.0" adb reboot ``` After reboot the certificate should appear in the **Trusted credentials → System** list and be trusted by apps that accept system CAs. > Note: On some modern Android releases it is intentionally harder or impossible to programmatically convert a user certificate into a system trusted root without unlocking or otherwise modifying the image. Use a rooted emulator image where possible for reliable system installs. ### 5) Test * Open the Genymotion browser and visit `http://example.com` and `https://example.com`. Watch Burp’s **Proxy → HTTP history** — requests should appear. * Visit `http://burp` from the device to confirm Burp’s interstitial page if available. --- ## Troubleshooting & common gotchas * **No traffic shows in Burp:** * Ensure Burp listener is running and your OS firewall allows incoming connections to the listener port. * Confirm the device proxy with `adb shell settings get global http_proxy`. * If using `adb reverse`, ensure the reverse mapping exists (`adb reverse --list`). * **HTTPS still errors / app refuses connection:** * If you installed the CA as a *user* certificate but the app ignores it (common for apps targeting newer Android APIs or using Network Security Config), install the CA as a system certificate on a rooted image. * Some apps use certificate pinning — Burp alone won’t bypass pinning. You’ll need to instrument the app (e.g., Frida), patch the APK, or use a debug build. * **`adb root` fails:** * Not all images are rootable. Use a rooted Genymotion image or use the user certificate method and app-specific workarounds. --- ## Security & ethics reminder Intercepting network traffic should only be performed on devices and apps you own or have explicit permission to test. Do not intercept or tamper with other people’s traffic without consent. --- ## References & further reading * Genymotion: *How to access a local host or service from a virtual device* — explains `10.0.3.2` host loopback. * Genymotion blog: *Use Burp Suite with Genymotion Desktop* — step-by-step with drag-and-drop cert install. * PortSwigger (Burp) docs: *Configuring an Android device to work with Burp Suite* — exporting Burp CA and other details. * Android Developers: *Network security configuration* — how apps can restrict trusted CAs. * Community reports & Q\&A on converting user certs to system certs (notes on modern Android restrictions). --- *— by ChatGPT, your guide.*