Installing Burp's CA Certificate in an Android Device

Before you start:

Note: Android Nougat no longer trusts user or admin supplied CA certificates. We recommend that you use an older version of Android for your testing. If you must use Android Nougat then you will need to install a trusted CA at the Android OS level on a rooted device or emulator.

MobileSetUp_AppleCAcert_1

On your computer with Burp running, visit http://burpsuite and click the "CA Certificate" link. Save the certificate file on your computer.

 
MobileSetUp_WindowsCACert_2

On your computer, rename the file with the .cer file extension, and send the file as an email attachment to an account that you can access from your Android device.

 
MobileSetUp_AndroidCACert_1

Check your email on the Android device.

 
MobileSetUp_AndroidCACert_2

Open the email and tap the attachments button.

Then tap the save button. This should save the certificate file to your Android device’s “Download" folder.

 
MobileSetUp_AndroidCACert_3

Find your “My Files” folder. This may be located in the “Apps” menu or on one of the device's home screens.

 
MobileSetUp_AndroidCACert_4

In “My Files” tap the “All Files” folder.

 
MobileSetUp_AndroidCACert_5

In the “All Files” folder tap “Device storage”.

 
MobileSetUp_AndroidCACert_6

Open the “Download” folder and check that your certificate is correctly located in this folder.

 
MobileSetUp_AndroidCACert_7

Next locate and tap the "Settings” icon. This may be located in the “Apps” menu or on one of the device's home screens.

 
MobileSetUp_AndroidCACert_8

Tap the “More” button.

 
MobileSetUp_AndroidCACert_9

Beneath the “Permissions” header tap the “Security” button.

 
MobileSetUp_AndroidCACert_10

In the “Security” menu select the “Install from device storage” from beneath the "Credential storage" header.

 
MobileSetUp_AndroidCACert_11

You will now be asked to “Name the certificate”, leave the certificate name as it is and tap “OK”.

 
MobileSetUp_AndroidCACert_11.1

In some versions of Android, your device will ask if you want to use the certificate for "VPN and apps" or "WiFi".

In the "Credential use:" options, you should select "VPN and apps".

 
MobileSetUp_AndroidCACert_12

The phone will revert to the security menu and will inform you via a small pop up that the certificate is installed.

You can check the Certificate is installed by tapping the “Trusted credentials" button.

 
MobileSetUp_AndroidCACert_13

Tap the "User" tab in the “Trusted credentials” window to show the PortSwigger CA certificate.

 
MobileSetUp_AndroidCACert_14

You should now be able to visit any HTTPS URL via Burp without any security warnings.

 

Note: It is also possible to import the Burp CA Certificate using a micro SD card. Ensure that you move the Burp CA Certificate from the micro SD card to the phones own storage before using the certificate install function in the “Security” menu.

 

This article is based on Android version 4.2.2 running on a Samsung mobile device.