Android-Pentesting- Android Appsec (Kotlin) HTTP & HTTPS Traffic

3 min readJan 25, 2022


Android Appsec is an intentionally made vulnerable application made by for educating about security in android applications for learning purposes so I will be taking a look into intercepting HTTP and HTTPS traffic which comes in SSL pinning and it’s a security flaw that developers leave in their applications as if one could intercept the requests being made from the application he can read the secrets , plain text data if not encrypted

To intercept the request on burp suite we need to first install the certificate , this can be installed quite easily.

You can follow this guide to install burp’s certificate

After installing the certificate , make sure that your burp’s listener is running on all interfaces

Add the IP address of your host machine in the network’s proxy configuration

Now let’s test this to see if we can intercept HTTP traffic

Intercepting HTTP Traffic

As we click on Reload button while having the intercept turned on we can intercept the request

Send the request to repeater to get the response

Intercepting HTTPS Traffic

Now intercepting https traffic may or may not be easy as this is where ssl pinning comes in

As you can see this is not intercepting https traffic even tho we have added the burp certificate , so it will only allow the https traffic only through a trusted certificate so we need to bypass this , this can bypassed through objection

objection --gadget com.hpandro.androidsecurity exploreandroid sslpinning disable

Now if we try to intercept it , it will work