Back to Cookbook

Mobile HTTPS Interception on Android 7+

Fix "traffic in browser but not in apps" via Network Security Config

Android Nougat changed CA trust defaults — apps targeting API 24+ ignore user-installed CAs. This breaks typical Burp/mitmproxy interception. Walks through Network Security Config debug overrides for builds you control and scoped fallback options for test devices when you don't.

House RecipeWork12 min

INGREDIENTS

🌐Browser

PROMPT

Create a skill called "Android 7+ MITM Troubleshooter". Inputs I will provide: - Android OS version and whether it's a physical device or emulator - Whether I control the app build (debuggable) or not - Burp listener details and whether browser traffic works - Any error logs (SSLHandshakeException, trust anchor errors) Task: 1) Diagnose whether the failure is due to Android CA trust defaults. 2) Provide a preferred fix path: - Debug build using Network Security Config debug overrides. 3) Provide a controlled fallback path for test devices if build changes are impossible. 4) Include a cleanup checklist to remove certificates and revert proxy settings post-test.

What this fixes

Common symptoms:

  • Device browser traffic appears in Burp, but most apps show nothing
  • Apps fail TLS handshake even after installing the proxy CA as a user certificate
  • SSLHandshakeException / "trust anchor not found" errors in logcat

Prerequisites

  • A test device or emulator configured for the engagement
  • Burp configured with a dedicated proxy listener for the device
  • Authorization to test the specific app(s) and permission to modify debug builds (if applicable)

Steps and commands

  1. Configure Burp for the device:
  • Add a dedicated proxy listener (bind to all interfaces, unique port).
  • Export Burp CA certificate (DER) for device installation.
  1. Configure Wi-Fi proxy on the Android device:
  • Set proxy hostname to your Burp host IP and port to the listener port.
  1. Validate baseline with the device browser:
  • Browse to an HTTPS site and confirm traffic appears in Burp.
  1. If app traffic does NOT appear (Android 7+):
  • Default behavior: apps targeting API 24+ do not trust user-installed CAs.
  • Preferred fix: use Network Security Config in a debug build.

Minimal debug override (trust user CAs only while debuggable):

  • `res/xml/network_security_config.xml`:

`

`

  • Reference it in the app manifest (`android:networkSecurityConfig`).
  1. If you cannot modify the app build:
  • Use a dedicated test device/emulator that supports installing the CA into the system store.
  • Treat this as a controlled lab action; understand the security impact and roll back afterward.

Expected outputs

  • Browser and eligible app traffic appears in Burp (Proxy history)
  • Reduced TLS errors once the app trusts the proxy CA

Common errors and troubleshooting

  • Traffic works in browser only
  • Strong signal of Android 7+ CA trust changes for apps.
  • Confirm app targetSdkVersion and whether it opts into user CAs.
  • "Trust anchor for certification path not found"
  • App does not trust the proxy CA.
  • Fix via Network Security Config (preferred) or controlled system-CA installation.
  • Certificate pinning (distinct from CA trust)
  • Some apps pin specific certificates beyond the CA trust model.
  • Requires additional tooling (e.g., Frida/Objection) — out of scope for this recipe.

References

  • https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html
  • https://developer.android.com/privacy-and-security/security-config
  • https://portswigger.net/burp/documentation/desktop/mobile/config-android-device
  • https://docs.mitmproxy.org/stable/howto/install-system-trusted-ca-android/

Example inputs

  • Burp host IP: 192.168.56.1
  • Device proxy port: 8082
  • Target app package: com.example.app
Tags:#pentesting#mobile#android#burp#tls#mitm#troubleshooting