Question

In the same way that you configured your web browser to work with your proxy, you’ll need to set up your testing mobile device to work with a proxy. This generally involves installing the proxy’s certificate on your device and adjusting your proxy’s settings.

就像你配置了网络浏览器与代理一起工作一样，你需要设置你的测试移动设备来与代理一起工作。这通常需要在你的设备上安装代理证书并调整你的代理设置。

If you can afford to do so, acquire another mobile device, or use one of your old devices for testing. Mobile testing is dangerous: you might accidentally damage your device, and many of the techniques mentioned in this chapter will void the device’s warranty. You can also use a mobile emulator (a program that simulates a mobile device) for testing.

如果您有经济能力的话，可以购买另一台移动设备进行测试，或是使用旧设备进行测试。移动测试具有潜在的危险：您可能会不小心损坏设备，并且本章中提到的许多技术可能会导致设备的保修失效。您还可以使用移动模拟器（一种模拟移动设备的程序）进行测试。

First, you’ll need to configure Burp’s proxy to accept connections from your mobile device, because by default, Burp’s proxy accepts connections only from the machine Burp is running on. Navigate to Burp’s Proxy ▶ Options tab. In the Proxy Listeners section, click Add . In the pop-up window ( Figure 23-1 ), enter a port number that is not currently in use and select All interfaces as the Bind to address option. Click OK .

首先，您需要配置 Burp 的代理以接受来自移动设备的连接，因为默认情况下，Burp 的代理仅接受来自运行 Burp 的机器的连接。导航到 Burp 的 Proxy▶选项选项卡。在代理监听器部分，单击添加。在弹出窗口（图 23-1）中，输入一个当前未使用的端口号，并将所有接口选项选择为绑定地址选项。单击确定。

Figure 23-1 : Setting up Burp to accept connections from all devices on the Wi-Fi network

图 23-1：设置 Burp 接受 Wi-Fi 网络中所有设备的连接。

Your proxy should now accept connections from any device connected to the same Wi-Fi network. As such, I do not recommend doing this on a public Wi-Fi network.

你的代理现在应该接受来自连接到同一 Wi-Fi 网络的任何设备的连接。因此，我不建议在公共 Wi-Fi 网络上执行此操作。

Next, you’ll configure your Android device to work with the proxy. These steps will vary slightly based on the system you’re using, but the process should be some version of choosing Settings ▶ Network ▶ Wi-Fi , selecting (usually by tapping and holding) the Wi-Fi network you’re currently connected to, and selecting Modify Network . You should then be able to select a proxy hostname and port. Here, you should enter your computer’s IP address and the port number you selected earlier. If you’re using a Linux computer, you can find your computer’s IP address by running this command:

接着，您需要配置您的 Android 设备与代理一起工作。基于您的系统，这些步骤会稍有不同，但过程通常是选择设置▶网络▶Wi-Fi，选择当前连接的 Wi-Fi 网络（通常通过点击和按住），然后选择修改网络。接下来，您应该能够选择代理主机名和端口。在这里，您需要输入您计算机的 IP 地址和之前选择的端口号。如果您正在使用 Linux 计算机，则可以通过运行此命令找到您的计算机的 IP 地址：

hostname -i

If you are using a Mac, you can find your IP with this command:

如果您使用的是 Mac 电脑，您可以使用以下命令查找您的 IP 地址：

ipconfig getifaddr en0

Your Burp proxy should now be ready to start intercepting traffic from your mobile device. The process of setting up a mobile emulator to work with your proxy is similar to this process, except that some emulators require that you add proxy details from the emulator settings menu instead of the network settings on the emulated device itself.

您的 Burp 代理现在应该已准备好开始拦截来自移动设备的流量。设置移动模拟器与您的代理一起工作的过程类似于此过程，但某些模拟器需要您在模拟设备本身的网络设置菜单中添加代理详细信息，而不是在网络设置中添加。

If you want to intercept and decode HTTPS traffic from your mobile device as well, you’ll need to install Burp’s certificate on your device. You can do this by visiting http://burp/cert in the browser on your computer that uses Burp as a proxy. Save the downloaded certificate, email it to yourself, and download it to your mobile device. Next, install the certificate on your device. This process will also depend on the specifics of the system running on your device, but it should be something like choosing Settings ▶ Security ▶ Install Certificates from Storage . Click the certificate you just downloaded and select VPN and apps for the Certificate use option. You’ll now be able to audit HTTPS traffic with Burp.

如果您想从移动设备拦截和解码 HTTPS 流量，您需要在设备上安装 Burp 的证书。您可以在使用 Burp 作为代理的计算机浏览器中访问 http://burp/cert，下载证书并发送到您的电子邮件，最后将其下载到您的移动设备上。接下来，在您的设备上安装证书。此过程也取决于您的设备上运行的系统的具体细节，但应该类似于选择“设置”▶“安全”▶“从存储安装证书” 。点击您刚刚下载的证书，选择 VPN 和应用程序作为证书使用选项。现在您就可以使用 Burp 审计 HTTPS 流量了。