Install Burp Certificate
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
First of all you need to download the Der certificate from Burp. You can do this in Proxy --> Options --> Import / Export CA certificate
Export the certificate in Der format and lets transform it to a form that Android is going to be able to understand. Note that in order to configure the burp certificate on the Android machine in AVD you need to run this machine with the -writable-system option.
For example you can run it like:
Then, to configure burps certificate do:
Once the machine finish rebooting the burp certificate will be in use by it!
If you rooted your device with Magisc (maybe an emulator), and you can't follow the previous steps to install the Burp cert because the filesystem is read-only and you cannot remount it writable, there is another way.
Explained in this video you need to:
Install a CA certificate: Just drag&drop the DER Burp certificate changing the extension to .crt in the mobile so it's stored in the Downloads folder and go to Install a certificate -> CA certificate
Check that the certificate was correctly stored going to Trusted credentials -> USER
Make it System trusted: Download the Magisc module MagiskTrustUserCerts (a .zip file), drag&drop it in the phone, go to the Magics app in the phone to the Modules section, click on Install from storage, select the .zip module and once installed reboot the phone:
After rebooting, go to Trusted credentials -> SYSTEM and check the Postswigger cert is there
In the latest Android 14 release, a significant shift has been observed in the handling of system-trusted Certificate Authority (CA) certificates. Previously, these certificates were housed in /system/etc/security/cacerts/, accessible and modifiable by users with root privileges, which allowed immediate application across the system. However, with Android 14, the storage location has been moved to /apex/com.android.conscrypt/cacerts, a directory within the /apex path, which is immutable by nature.
Attempts to remount the APEX cacerts path as writable are met with failure, as the system does not allow such operations. Even attempts to unmount or overlay the directory with a temporary file system (tmpfs) do not circumvent the immutability; applications continue to access the original certificate data regardless of changes at the file system level. This resilience is due to the /apex mount being configured with PRIVATE propagation, ensuring that any modifications within the /apex directory do not affect other processes.
The initialization of Android involves the init process, which, upon starting the operating system, also initiates the Zygote process. This process is responsible for launching application processes with a new mount namespace that includes a private /apex mount, thus isolating changes to this directory from other processes.
Nevertheless, a workaround exists for those needing to modify the system-trusted CA certificates within the /apex directory. This involves manually remounting /apex to remove the PRIVATE propagation, thereby making it writable. The process includes copying the contents of /apex/com.android.conscrypt to another location, unmounting the /apex/com.android.conscrypt directory to eliminate the read-only constraint, and then restoring the contents to their original location within /apex. This approach requires swift action to avoid system crashes. To ensure system-wide application of these changes, it is recommended to restart the system_server, which effectively restarts all applications and brings the system to a consistent state.
Setting Up a Writable Directory: Initially, a writable directory is established by mounting a tmpfs over the existing non-APEX system certificate directory. This is achieved with the following command:
Preparing CA Certificates: Following the setup of the writable directory, the CA certificates that one intends to use should be copied into this directory. This might involve copying the default certificates from /apex/com.android.conscrypt/cacerts/. It's essential to adjust the permissions and SELinux labels of these certificates accordingly.
Bind Mounting for Zygote: Utilizing nsenter, one enters the Zygote's mount namespace. Zygote, being the process responsible for launching Android applications, requires this step to ensure that all applications initiated henceforth utilize the newly configured CA certificates. The command used is:
This ensures that every new app started will adhere to the updated CA certificates setup.
Applying Changes to Running Apps: To apply the changes to already running applications, nsenter is again used to enter each app's namespace individually and perform a similar bind mount. The necessary command is:
Alternative Approach - Soft Reboot: An alternative method involves performing the bind mount on the init process (PID 1) followed by a soft reboot of the operating system with stop && start commands. This approach would propagate the changes across all namespaces, avoiding the need to individually address each running app. However, this method is generally less preferred due to the inconvenience of rebooting.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
