New Burp Proxy cracks Android SSL

Burp DiagramThe new version of Burp Proxyis designed to improve the analysis of encrypted SSL connections on Android phones. Developers and security researchers like to use Burp Proxy to examine the web traffic on PCs, and lately also on smartphones. For example, The H’s associates at heise Security recently used Burp to analyse the activities of various smartphone apps for c’t magazine.

To analyse web traffic, the Burp server is entered as a proxy for HTTP and HTTPS connections on the device, and a self-signed CA certificate is installed. This CA certificate allows Burp Proxy to generate on-the-fly certificates in order to imitate an HTTPS server and act as a man-in-the-middle.

Encrypted data traffic can be analysed by posing as a man-in-the-middle Zoom

However, the problem on Android phones was that these devices initially retrieved the target server’s address via DNS and then used the Proxy to access it directly using CONNECT. As Burp didn’t know the server name for which to generate a certificate, it used the server’s IP address as a common name, causing error messages or even aborted connections on the smartphone. The new version 1.4.12 initially establishes an SSL connection to the target server and then does its best to imitate the server’s certificate. Burp Proxy is part of PortSwigger’s Burp Suite.



Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s