Proxy traffic on a rooted virtual android device using Burpsuite

Configure Burpsuite tool by adding a listener on all interfaces in the proxy settings.

Tools -> Proxy -> Proxy listeners -> Add -> All interfaces -> Bind to port (8082)

The Android virtual device is behind a virtual router/firewall service that allocates the address 10.0.2.2 to your host loopback interface 127.0.0.1 .

Setup the HTTP proxy on your virtual device using adb.

$adb shell settings put global http_proxy 10.0.2.2:8082
$adb shell settings get global http_proxy # Confirm the proxy 
$adb shell settings delete global http_proxy # Clear the proxy

This setup allows you to intercept the HTTP traffic from your device.

Note: For Android 7.0 (Nougat) and later, installing the certificate in the system store requires root access

To intercept the HTTPS traffic, install the Burpsuite CA certifcate on the device and move it to the system wide trusted certificates.

Import the CA certificate from Burpsuite proxy.

Tools -> Proxy -> Proxy listeners -> Export CA certificate -> Certificate in DER format

Note: Android expects certificates in PEM format and to be named using their subject hash.

Convert the exported certificate into PEM format.

openssl x509 -inform DER -in BurpCA.cer -out BurpCA.pem

Get the CA certificate subject hash.

$openssl x509 -inform PEM -subject_hash_old -in BurpCA.pem | head -1
9a5ba575

Rename the BurpCA.pem file to its subject hash and add .0 to tell the system that it’s the primary certificate for that subject hash which allows the system to recognize and load the certificate properly.

$mv BurpCA.pem 9a5ba575.0

Restart the virtual device with the flag -writable-system to make system and vendor image writable.

$Android/sdk/emulator/emulator -avd Pixel_6 -writable-system

Enable root shell, remount the partitions read-write and push the Burp CA certificate to the virtual device.

$adb root
$adb remount
$adb push 9a5ba575.0 /system/etc/security/cacerts/