In association with heise online

08 August 2012, 12:36

New Burp Proxy cracks Android SSL

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Android icon The new version of Burp Proxy is designed to improve the analysis of encrypted SSL connections on Android phones. Developers and security researchers like to use Burp Proxy to examine the web traffic on PCs, and lately also on smartphones. For example, The H's associates at heise Security recently used Burp to analyse the activities of various smartphone apps for c't magazine.

To analyse web traffic, the Burp server is entered as a proxy for HTTP and HTTPS connections on the device, and a self-signed CA certificate is installed. This CA certificate allows Burp Proxy to generate on-the-fly certificates in order to imitate an HTTPS server and act as a man-in-the-middle.

Burp Diagram
Zoom Encrypted data traffic can be analysed by posing as a man-in-the-middle

However, the problem on Android phones was that these devices initially retrieved the target server's address via DNS and then used the Proxy to access it directly using CONNECT. As Burp didn't know the server name for which to generate a certificate, it used the server's IP address as a common name, causing error messages or even aborted connections on the smartphone. The new version 1.4.12 initially establishes an SSL connection to the target server and then does its best to imitate the server's certificate. Burp Proxy is part of PortSwigger's Burp Suite.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit