Android Hacking, Sandboxing, & Security Exploits

Intercepting & Modifying Android App Network Traffic using Frida and Burp Suite: A Deep Dive

By Antigravity Research Published May 30, 2026 ⏱️ 8 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction to Android Network Interception

In the realm of mobile application security, understanding and manipulating an app’s network communication is paramount. It allows security researchers, penetration testers, and developers to uncover vulnerabilities, test API endpoints, and gain insights into data handling. This deep dive explores the powerful synergy between Frida, a dynamic instrumentation toolkit, and Burp Suite, a leading web vulnerability scanner, to effectively intercept and modify Android application network traffic, even in the presence of robust security measures like SSL Pinning.

Frida enables injecting custom scripts into running processes, providing unparalleled control over an application’s runtime behavior. Burp Suite, on the other hand, excels at proxying, analyzing, and manipulating HTTP/S traffic. Together, they form an indispensable toolkit for comprehensive Android security assessments.

Essential Prerequisites and Setup

Required Tools

  • Rooted Android Device or Emulator: Necessary for installing Frida server and, ideally, system-level CA certificates.
  • Android SDK Platform Tools: Specifically, adb for interacting with the Android device.
  • Frida-tools: Installed on your host machine via pip (pip install frida-tools).
  • Burp Suite Professional or Community Edition: Running on your host machine.

Setting Up Frida on Android

First, determine your Android device’s CPU architecture:

adb shell getprop ro.product.cpu.abi

This will typically return arm64-v8a, armeabi-v7a, or x86_64. Download the corresponding frida-server release from the Frida GitHub releases page. Ensure the version matches your installed frida-tools.

Push the frida-server binary to your device, grant it executable permissions, and run it:

wget https://github.com/frida/frida/releases/download/16.1.4/frida-server-16.1.4-android-arm64 # Replace with correct version and architecture
adb push frida-server-16.1.4-android-arm64 /data/local/tmp/frida-server
adb shell "chmod 755 /data/local/tmp/frida-server"
adb shell "/data/local/tmp/frida-server &"

Verify Frida is running by listing connected devices from your host:

frida-ps -U

Configuring Burp Suite for Android Proxy

In Burp Suite, navigate to Proxy > Options. Add a new proxy listener on your host machine, typically on 0.0.0.0:8080, and ensure ‘Support invisible proxying’ is unchecked for typical setups. In your Android device’s Wi-Fi settings, modify the network to use a manual proxy. Set the Proxy hostname to your host machine’s IP address and the Proxy port to 8080.

Installing Burp Suite CA Certificate on Android

For Burp Suite to decrypt HTTPS traffic, its CA certificate must be trusted by the Android device. Go to Proxy > Options > Import/export CA certificate > Export > Certificate in DER format in Burp Suite and save it as cacert.der.

For Android 7+ (User-Installed Certificate)

Push the certificate to the device’s downloads and install it:

adb push cacert.der /sdcard/Download/cacert.der

On the Android device, go to Settings > Security > Encryption & credentials > Install a certificate > CA certificate, then select cacert.der from your downloads. Note that apps explicitly configured not to trust user certificates will still fail.

For Rooted Android (System-Installed Certificate – Recommended)

This method circumvents most restrictions. Convert the DER certificate to PEM, calculate its subject hash, and push it to the system certificate store:

openssl x509 -inform DER -in cacert.der -out cacert.pem
openssl x509 -inform PEM -subject_hash_old -in cacert.pem | head -1 # Note the hash (e.g., c8750f0d)
mv cacert.pem <HASH>.0 # Replace <HASH> with the actual hash
adb push <HASH>.0 /data/local/tmp/
adb shell "su -c 'mount -o rw,remount /system'"
adb shell "su -c 'cp /data/local/tmp/<HASH>.0 /system/etc/security/cacerts/'"
adb shell "su -c 'chmod 644 /system/etc/security/cacerts/<HASH>.0'"
adb reboot

After rebooting, the Burp Suite CA will be trusted system-wide.

Conquering SSL Pinning with Frida

Understanding SSL Pinning

SSL Pinning (or Certificate Pinning) is a security mechanism where an application hardcodes or ‘pins’ the expected SSL certificate or public key. If the server presents a certificate that doesn’t match the pinned one, even if signed by a trusted CA (like Burp’s), the application will reject the connection, preventing MITM attacks. This is a common hurdle for security testers.

Generic Frida SSL Pinning Bypass Script

Frida can dynamically instrument the application to bypass SSL pinning by hooking relevant Java methods. The following script targets common pinning implementations such as TrustManager.checkServerTrusted, OkHttp’s CertificatePinner, and the Android Network Security Configuration.

/*
 * Generic Android SSL Pinning Bypass Script
 * Credits to various contributors in the Frida community.
 * This script attempts to bypass SSL pinning by hooking various common
 * implementations in Android applications.
 */

Java.perform(function () {
    console.log("Starting SSL pinning bypass script...");

    // Bypass TrustManager.checkServerTrusted and TrustManagerImpl.checkServerTrusted
    try {
        var TrustManager = Java.use('javax.net.ssl.X509TrustManager');
        var TrustManagerImpl = Java.use('com.android.org.conscrypt.TrustManagerImpl');

        TrustManager.checkServerTrusted.implementation = function (chain, authType) {
            console.log("[+] Bypassing TrustManager.checkServerTrusted");
            // Do nothing, effectively bypassing the check
        };

        TrustManagerImpl.checkServerTrusted.implementation = function (chain, authType) {
            console.log("[+] Bypassing TrustManagerImpl.checkServerTrusted");
            // Do nothing, effectively bypassing the check
        };

        console.log("[+] TrustManager checkServerTrusted hooks applied.");
    } catch (e) {
        console.log("[-] Error hooking TrustManager: " + e.message);
    }

    // Bypass OkHttp3 CertificatePinner
    try {
        var CertificatePinner = Java.use('okhttp3.CertificatePinner');
        CertificatePinner.check.overload('java.lang.String', 'java.util.List').implementation = function (hostname, certificates) {
            console.log("[+] Bypassing OkHttp3 CertificatePinner.check for: " + hostname);
            // Do nothing, effectively bypassing the check
        };
        CertificatePinner.check.overload('java.lang.String', 'java.security.cert.Certificate').implementation = function (hostname, certificate) {
            console.log("[+] Bypassing OkHttp3 CertificatePinner.check (single cert) for: " + hostname);
            // Do nothing
        };
        console.log("[+] OkHttp3 CertificatePinner hooks applied.");
    } catch (e) {
        console.log("[-] Error hooking OkHttp3 CertificatePinner: " + e.message);
    }

    // Bypass WebViewClient onReceivedSslError
    try {
        var WebViewClient = Java.use('android.webkit.WebViewClient');
        WebViewClient.onReceivedSslError.overload('android.webkit.WebView', 'android.webkit.SslErrorHandler', 'android.net.http.SslError').implementation = function (view, handler, error) {
            console.log("[+] Bypassing WebViewClient.onReceivedSslError");
            handler.proceed(); // Ignore SSL errors
        };
        console.log("[+] WebViewClient onReceivedSslError hook applied.");
    } catch (e) {
        console.log("[-] Error hooking WebViewClient: " + e.message);
    }

    // Bypass Android Nougat (API 24+) and above Network Security Configuration
    try {
        var Builder = Java.use('android.security.net.config.NetworkSecurityConfig$Builder');
        Builder.getInstance.implementation = function () {
            console.log("[+] Bypassing Network Security Configuration");
            var config = this.getInstance();
            // Attempt to clear pinners or modify trust anchors if possible (depends on exact Android version/API)
            // This part is more complex as direct manipulation of internal config might be restricted.
            // For simplicity, we assume the TrustManager bypass handles most cases.
            return config;
        };
        console.log("[+] NetworkSecurityConfig bypass attempted (may require deeper hooks for full effect).");
    } catch (e) {
        console.log("[-] Error hooking NetworkSecurityConfig: " + e.message);
    }

    console.log("SSL pinning bypass script finished.");
});

Save this script as ssl_bypass.js.

Intercepting and Modifying Live Traffic

Attaching Frida to the Target Application

With the Burp CA installed and the Frida server running, launch the target application with the SSL bypass script:

frida -U -f com.example.targetapp -l ssl_bypass.js --no-pause

Replace com.example.targetapp with the actual package name of the application you are testing. The -f flag spawns the app, -l loads the script, and --no-pause allows the app to run immediately without waiting for user input. If the app is already running, use frida -U -p <PID> -l ssl_bypass.js or frida -U -F -l ssl_bypass.js (attach to foreground app).

Observing and Manipulating Requests in Burp Suite

Once the app is running with Frida attached, interact with the application. All its network traffic will now flow through Burp Suite. In Burp’s Proxy > HTTP history tab, you’ll see a detailed log of all requests and responses. You can use this history to:

  • Analyze requests: Examine headers, parameters, and bodies.
  • Send to Repeater: Right-click a request and select ‘Send to Repeater’ to manually modify and resend requests repeatedly. This is invaluable for testing API endpoints and identifying vulnerabilities like SQL injection or broken access control.
  • Send to Intruder: Use ‘Send to Intruder’ for automated brute-forcing or fuzzing of parameters.
  • Set Breakpoints: In Proxy > Intercept, turn Intercept ‘on’ to pause requests and responses in real-time. This allows you to modify parameters or data before they reach the server or the client, enabling dynamic manipulation of application logic.

For example, if an app sends a JSON payload like {"item_id":123, "quantity":1}, you can intercept this, change item_id to 456, and forward the request to observe the app’s behavior with unauthorized data access.

Conclusion

The combination of Frida’s dynamic instrumentation capabilities and Burp Suite’s powerful proxy features provides an unparalleled advantage in Android application security assessments. By skillfully bypassing SSL pinning and intercepting traffic, security professionals can gain deep insights into application behavior, identify critical vulnerabilities, and recommend robust security enhancements. Always ensure you have explicit permission before conducting such tests on applications or systems you do not own or manage.

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Hacking #Burp Suite #Frida #Mobile Security #SSL Pinning Bypass

Related Technical Guides

Unpacking & Analyzing Android Native Libraries (JNI/ELF) with Frida: A Reverse Engineering Lab

May 30, 2026

Building a Secure Custom ROM: A Step-by-Step Hardening and Mitigation Guide

May 30, 2026

Crafting Malicious Binder Transactions: Exploiting IPC Deserialization & Type Confusion Flaws

May 30, 2026