Dynamic Analysis and Traffic Interception

Intercepting mobile traffic with Burp

To see what an app sends, route its traffic through Burp Suite as a proxy. The catch is HTTPS: the device must trust Burp's CA certificate to decrypt TLS, so you install Burp's certificate on your test device/emulator. Once trusted, you see the app's API calls in cleartext and can find insecure endpoints, leaked data, and weak authentication. On modern Android, user-installed CAs are not trusted by apps by default, which is itself a defense you may need to work around on a device you control.

Certificate pinning and bypassing it (in a lab)

Well-built apps pin their server certificate, so even your trusted Burp CA is rejected and interception fails. This is a good defense. To test a pinned app you own, you bypass pinning at runtime with Frida, which hooks the app's certificate-validation function and forces it to accept your proxy. The point is to understand both sides: pinning protects users, and a determined tester with a controlled device can still bypass it, so pinning is a strong layer but not absolute.

Frida for runtime instrumentation

Frida injects a JavaScript engine into a running app so you can hook and modify functions live: read arguments, change return values, bypass checks, and dump data. Security testers use it to bypass root detection, defeat certificate pinning, and observe internal behavior that static analysis cannot reveal. It is the workhorse of mobile dynamic analysis.

Lab: intercept and instrument a vulnerable app

Emulator, Burp, Frida.

1. 1

   1. Run a deliberately vulnerable app (InjuredAndroid or an OWASP MAS app) on an emulator you control.

2. 2

   2. Configure the emulator to proxy through Burp and install Burp's CA certificate.

3. 3

   3. Observe the app's API traffic in Burp; look for cleartext sensitive data or weak auth tokens.

4. 4

   4. If traffic does not appear and the app pins certificates, use a Frida script to bypass pinning, then re-observe.

5. 5

   5. Document findings (insecure communication, a recoverable token, a bypassed check) and the corresponding fixes (proper TLS, server-side checks, secure storage).

An app's traffic will not appear in Burp even after installing Burp's CA. What is the most likely reason?

Pick one.

Common mistakes only experienced testers catch

Forgetting modern Android distrusts user CAs by default and concluding the app is 'unhackable.' Disabling pinning in production to make testing easier (never ship that). Running Frida against apps you do not own. Confusing 'I bypassed pinning on my own device' with 'pinning is useless' (it still protects ordinary users). Not pairing each finding with a concrete remediation.