Installing Burp's Root CA in Windows Certificate Store.Using Burp's Certificate Export Functionality.Scroll and look for your Burp Suite CA (you can select the entry to view further details):Įnsure that you configure your emulator to use Burp Suite in the emulator properties:įinally navigate to a site over HTTPS and ensure that you do not receive any certificate errors:Ī final reminder, ensure that you take a Snapshot of your AVD instance! And please make sure that you only use this for legitimate purposes. Go to settings and select Security & location:ĭ. In your emulator you can validate if the CA is not installed as part of the system CAs:Ī. For some reason I've always had this fail on the first time but succeeded on the second time: Where is the has which from the certificate which you created in the previous section. adb push ~/ca/.0 /system/etc/security/cacerts/.0 If you get permission error, you will need to start the emulator with the writable flag (the emulator binary is in the directory ~/Android/Sdk/emulator): Mount the emulator file system in read/write mode so you can upload the Burp Suite CA certificate: On MacOS this is usuall ~/Library/Android/sdk/platform-tools On Linux this is usually ~/Android/Sdk/platform-toolsī. Locate the directory where your Android SDK platform-tools is saved to on your file system:Ī. The next step is to import the CA into the AVD. Where is the value of the hash output from the first command. Openssl x509 -in burpCA.pem -subject_hash_old -noout Openssl x509 -in burpCA.pem -fingerprint -sha1 -noout > įinally change the file to the subject DN hash: Write the SHA-1 fingerprint to the AVD certificate: Openssl x509 -in burpCA.pem -text -noout > Write the text format of the certificate to the AVD certificate: The next step is to prepare the CA certificate to be in a format which will work on the Android Virtual Device (AVD). Click on the Next button and ensure that the certificate and key were imported successfully: Select the burpCA.p12 file and enter in your passphrase:į. Select the Certificate and private key in PKCS#12 format option from the Import section:ĭ. Click on the Import / export CA certificate buttonĬ. Openssl pkcs12 -export -inkey burpCA.key -in burpCA.pem -out burpCA.p12ī. Convert the certificate into PKCS12 format:.Openssl req -x509 -new -nodes -key burpCA.key -sha512 -days 365 -out burpCA.pem So the very first step is to create your own CA which you will configure Burp Suite to use. ![]() This results in the above error when your certificate is valid for more than 2 years. It turns out that when Burp Suite generates a site certificate, it uses the expiration dates of its intercepting CA as the expiration dates of the generated certificate. So after doing all of this, I tried it out and low and behold I got an error: I decided to do the latter since it would allow me to use to the same AVD instance for multiple apps, and test them as they would be released (closer to the real thing). Inject the PortSwigger CA into the system trust store.Modify the application configuration to allow it to also trust the PortSwigger CA which I install on the device (which ends up in the user trust store on the device).You can actually confirm this by creating a AVD instance which runs on Android versions prior to 7.0. This means that apps running on Android versions 7.0 and above, the developer needs to explicitly configure the app to also use the CA's in the user trust store on the device. The important part of the documentation was this bit: By default, secure connections (using protocols like TLS and HTTPS) from all apps trust the pre-installed system CAs, and apps targeting Android 6.0 (API level 23) and lower also trust the user-added CA store by default. So I was stumped, until I reviewed the offical Android developer documentation on the matter. Upon decompiling the app I couldn't see any evidence of this. OK, so I thought that the app might have been doing some form of certificate pinning. Off I went, only to be met with the app not communicating. Usually I would simply fire up my trusty Burp Suite, configure my phone to point to it, install the Burp Suite (PortSwigger CA) CA certificate and then away I would go. ![]() ![]() It has been some time since I last pen tested an Android mobile app.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |