The goal of this post is to learn how to configure our environment to intercept network traffic generated by an Android device and analyze and modify it. To do this, we will need to use an HTTP proxy server that acts as an intermediary between the smartphone and a web server. In our case, we will use one of the most well-known software in the pentesting industry: Burp Suite.
- Burp Suite and Certificates on Android
- Installing the Certificate on the System
- Configuring the Android Proxy - Burp Suite
- Possible Errors When Configuring Android Partitions in Write Mode
- References
Burp Suite and Certificates on Android
I don’t think it needs an introduction, but just in case, Burp Suite is a tool used for security testing of web applications. It intercepts HTTP requests made by a web server or application to analyze, modify, accept, reject them, and many other options.
There are two versions of this software: Burp Suite Community Edition (free version) and Burp Suite Professional (paid version). Although the paid version is much better and more complete than the free one, with the latter we can work perfectly in any scenario. However, the tool will run slower and we won’t be able to use the many add-ons of the paid version. You can download them through the following links:
If you have used this software before, you will know that it is necessary to install a trusted certificate so that the browser does not generate errors when working under the HTTPS protocol. Well, to intercept the traffic from our Android device, we will also have to install that certificate (as expected).
On all devices there are two types of credential stores or Trusted Credentials, which are: System and User. These two panels store the certificates that the phone trusts. To access these panels, within the device we will enter:
- Settings → Passwords and security → Encryption and credentials → Trusted credentials
If a user installs a certificate, it is stored in the User Credentials section. Previously, a person would import the certificate generated by Burp Suite and install it on their Android and could already intercept traffic without any problem. However, starting with Android version 7 (Nougat), the way Android trusts certificates changed, and it only does so for those installed in the System (unless there is a special configuration in the user certificate). That is why we are going to see how we can install the certificate generated by our proxy server in the appropriate place for its correct use.
Installing the Certificate on the System
To begin the process, we must have started our Android device with Android Studio along with Burp Suite. If you don’t know what I’m referring to, you can review my previous article:
Once we have the device started, the next step will be, within the proxy server, to access the tabs:
- Proxy → Proxy Settings → Import/Export CA Certificate → Certificate in DER format
We will save this certificate under the name cacert.der in the same platform-tools folder (for convenience, to have everything in the same folder). The certificates found in the device system have the subject_hash_old.0 nomenclature, so we will have to modify it using the OpenSSL software that you can find at the following link:
This program has a toolkit with functions and algorithms to create cryptographic systems and digital certificates. Once the installation is complete, the steps to follow will be:
- Modify the certificate format from DER to PEM.
openssl x509 -inform DER -in cacert.der -out cacert.pem- Obtain the subject_hash_old hash value of the generated certificate.
openssl x509 -inform PEM -subject_hash_old -in cacert.pem- Rename the certificate with the previously mentioned nomenclature subject_hash_old.0.
move cacert.pem <hash>.0In my case, the process looks like this:
Well, after these operations we have already completed half the work with the certificate in the necessary format to move it to the device. The next thing we will do is start working with the adb tool following the following procedure:
- Start adb and make sure we are operating as root.
adb.exe
adb root- Set the /system partition to write mode, since by default it is in read mode. This step is very important.
adb remountAt the end of this article I explain alternatives to this command, in case you have any errors.
- Copy the certificate into our Android.
adb push <cert>.0 /sdcard/
adb shell- Modify the permissions of said certificate.
chmod 644 /sdcard/<cert>.0- Copy it to the folder where the certificates verified by the system are located.
mv /sdcard/<cert>.0 /system/etc/security/cacerts/It would look something like this:
If we now access the Trusted Credentials section in the device settings, we can find in system how the PortSwigger certificate has been added:
Done! Let’s finish the process 🙂.
Configuring the Android Proxy - Burp Suite
To finish the process, in the same tab where the certificate export was located in Burp Suite, we will edit the listener we are going to use and select the main local IP address, in my case the WiFi adapter IP to use in the proxy:
Now we will do the same on the Android device, we will select the WiFi network and configure it to add a manual proxy as shown in the following images:
Once we have completed this configuration, it is now possible to intercept traffic from our phone through Burp Suite:
Possible Errors When Configuring Android Partitions in Write Mode
I decided to write this section to try to save each of you the desperation and frustration that I experienced during my learning in Android audits (which of course continues) with the countless errors I encountered when configuring write mode on the /system partition.
In addition to the previously mentioned method using the adb remount command, another equally well-known alternative is the following:
adb shell mount -o rw,remount,rw /system // Set the partition to write mode
adb shell mount -o ro,remount,rw /system // Return the partition to read modeHowever, on some occasions, depending on the Android version used or the device being emulated, I encountered a series of errors that prevented me from performing this step. Some of the errors I encountered are the following:
-
‘/dev/block/pci/pci0000:00/0000:00:03.0/by-name/system’ is read-only
-
mount: ‘/system’ not in /proc/mounts
-
‘/dev/root’ is read-only
-
/system/bin/sh: avbctl: not found
-
remount of the / superblock failed: Permission denied
-
mount: ‘/dev/block/pci/pci0000:00/0000:00:03.0/by-name/system’->‘/system’: Device or resource busy
-
mount: Device or resource busy
These errors have been obtained using different commands from the cmd and from the internal Android shell (most in the latter).
After having performed different tests and having verified it on different devices and versions of Android, I have found a solution that to date has worked for me on all occasions. The process consists of running the Android emulator from the cmd and adding an option so that from its execution the partitions have write permission. This way, you don’t have to modify the emulator once it’s started because the option is implemented from its launch. The process to carry it out will be as follows:
- Access the Android_SDK folder where the emulated Android Studio devices are located.
cd C:\Tools\Android_SDK\emulator // Find the directory on your PC- List the created emulators to know which one to run.
emulator -list-avds- Run the emulator with the -writable-system flag
emulator -avd -writable-systemThe result would be as shown below:
Once this is done and the emulator has started, it is now possible to perform all the steps to copy the certificate to the specified folder.
I hope this helps you and you have no problems!