Before you start:
- Ensure you have configured your Android device to work with Burp.
- Ensure your Android device is able to receive email, and that your email filter does not block .cer files.
Note: Android Nougat no longer trusts user or admin supplied CA certificates. We recommend that you use an older version of Android for your testing. If you must use Android Nougat then you will need to install a trusted CA at the Android OS level on a rooted device or emulator.
On your computer with Burp running, visit http://burp and click the "CA Certificate" link. Save the certificate file on your computer.
On your computer, rename the file with the .cer file extension, and send the file as an email attachment to an account that you can access from your Android device.
Check your email on the Android device.
Open the email and tap the attachments button.
Then tap the save button. This should save the certificate file to your Android device’s “Download" folder.
Find your “My Files” folder. This may be located in the “Apps” menu or on one of the device's home screens.
In “My Files” tap the “All Files” folder.
In the “All Files” folder tap “Device storage”.
Open the “Download” folder and check that your certificate is correctly located in this folder.
Next locate and tap the "Settings” icon. This may be located in the “Apps” menu or on one of the device's home screens.
Tap the “More” button.
Beneath the “Permissions” header tap the “Security” button.
In the “Security” menu select the “Install from device storage” from beneath the "Credential storage" header.
You will now be asked to “Name the certificate”, leave the certificate name as it is and tap “OK”.
In some versions of Android, your device will ask if you want to use the certificate for "VPN and apps" or "WiFi".
In the "Credential use:" options, you should select "VPN and apps".
The phone will revert to the security menu and will inform you via a small pop up that the certificate is installed.
You can check the Certificate is installed by tapping the “Trusted credentials" button.
Tap the "User" tab in the “Trusted credentials” window to show the PortSwigger CA certificate.
You should now be able to visit any HTTPS URL via Burp without any security warnings.
Note: It is also possible to import the Burp CA Certificate using a micro SD card. Ensure that you move the Burp CA Certificate from the micro SD card to the phones own storage before using the certificate install function in the “Security” menu.
This article is based on Android version 4.2.2 running on a Samsung mobile device.