1. 首页
  2. Android

Configuring Burp Suite with Android Nougat

This last weekend I started testing a new Android app for fun, and ran into some trouble getting Burp Suite working properly. I burned a whole afternoon troubleshooting the issue, and decided to write up what I found out and two different ways I got it working.

Background

I’ve done quite a bit of Android testing in the past and my setup usually involves a Genymotion VM or my old rooted Nexus Tablet. I run Burp Suite locally, install the User Cert as outlined in Portswigger’s documentation, configure a WiFi proxy and I’m off the races.

This particular app I wanted to test, however, required a minimum API level 24 (Android 7.0 – “Nougat”) and suddenly it wasn’t working. I followed the steps I always do but saw nothing but “connection reset” errors in Burp:

After a few frustrating hours of troubleshooting, I finally figured out the issue lied with the latest versions of Android (API >= 24). Before I go any further, all the information I needed was found in these great write-ups:

Starting with Nougat, Android changed the default behavior of trusting user installed certificates. It’s no longer possible to just install the Burp CA from the sdcard to start intercepting app traffic. Unless otherwise specified, apps will now only trust system level CAs. The failure happens “invisibly” and is responsible for all the alerts I saw in Burp Suite.

There’s two ways to bypass this, and I’ll walk through them both.

  • Install the Burp CA as a system-level CA on the device. My recommendation for the easiest solution, but does require a rooted device. Also added benefit of not having to set a lockscreen PIN :)
  • Modify the manifest and repackage the app. Slightly more work, but doesn’t require root privileges.

Note: I did all this with Burp Suite Pro on my Windows 10 machine and am using an Android 7.1 (API25) Genymotion VM, but the steps should be applicable to any setup.

Install Burp CA as a system-level trusted CA

Since the “traditional” way of installing a user certificate doesn’t work anymore in Nougat and above, for me the easiest solution is to install the Burp CA to the system trusted certificates. You can see all the system CAs that are bundled with an Android device by going to Settings -> Security -> Trusted Credentials and viewing system CAs. You’ll see the similar CAs you’d see in a browser bundle.

Trusted CAs for Android are stored in a special format in /system/etc/security/cacerts. If we have root privileges, it’s possible to write to this location and drop in the Burp CA (after some modification).

Export and convert the Burp CA
The first step is to get the Burp CA in the right format. Using Burp Suite, export the CA Certificate in DER format. I saved it as cacert.der

Android wants the certificate to be in PEM format, and to have the filename equal to the subject_hash_old value appended with .0.

Note: if you are using OpenSSL <1.0, it’s actually just the subject_hash, not the “old” one

Use openssl to convert DER to PEM, then output the subject_hash_old and rename the file:

openssl x509 -inform DER -in cacert.der -out cacert.pem  
openssl x509 -inform PEM -subject_hash_old -in cacert.pem |head -1  
mv cacert.pem <hash>.0  

For example, with my certificate:

 

Copy the certificate to the device
We can use adb to copy the certificate over, but since it has to be copied to the /system filesystem, we have to remount it as writable. As root, this is easy with adb remount.

adb root  
adb remount  
adb push <cert>.0 /sdcard/  

The just drop into a shell (adb shell) and move the file to /system/etc/security/cacerts and chmod it to 644:

mv /sdcard/<cert>.0 /system/etc/security/cacerts/  
chmod 644 /system/etc/security/cacerts/<cert>.0  

Lastly, we have to full reboot the device with either adb reboot or a power cycle.

 

After the device reboots, browsing to Settings -> Security -> Trusted Credentialsshould show the new “Portswigger CA” as a system trusted CA.

 

Now it’s possible to set up the proxy and start intecepting any and all app traffic with Burp :)

还有修改APK包的方法,只转了自己测试的一部分,原文:https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/

  • 版权声明:本文基于《知识共享署名-相同方式共享 3.0 中国大陆许可协议》发布,转载请遵循本协议
  • 文章链接:https://secsb.com/bug/android/967.html [复制] (转载时请注明本文出处及文章链接)
  • 本文无相关文章
上一篇:
:下一篇

作者:mr.tcsy

介绍:梦生、梦死、

文章:75篇

博客:https://secsb.com
最后更新:18-01-30

11 条评论

gravatar

  1. emmmmm…..完蛋了,,好不想干活,,,,大概是个废仙女了

    #倒数1楼
    1. mr.tcsy 4

      [萌新博主]

      @小毒物 ,我也是哎,上班没什么动力。。。。

      1. @mr.tcsy 哈哈哈哈。大概是快回家啦。心早就飞到家乡了

    2. mr.tcsy 4

      [萌新博主]

      @小毒物 小姐姐,以后你可以留言写你的邮箱哦!别人是看不到的,收到回复还能邮件通知哦!另还有私密评论的(只限不清除浏览器缓存的情况)

      1. @mr.tcsy 啊啊啊啊?在哪里写邮箱呀?是写评论这里的嘛?比如我现在的邮箱写的是nicaiya@qq.com???

        1. mr.tcsy 4

          [萌新博主]

          @小毒物 对呀,对呀,你换个浏览器 你看看是不是看不到你这个评论了。

          1. @mr.tcsy 哈哈哈哈,显示该评论为私密评论…..这样是不是可以说悄悄话了

            Google Chrome 56.0.2924.3Windows 7
  2. 卡不懂,下一个。

    #倒数2楼
    1. mr.tcsy 4

      [萌新博主]

      @c0smxsec 大佬,别低调啊

  3. 什么鬼,,为嘛都是英文是burp抓手机包的配置方法吗

    #倒数3楼
    1. mr.tcsy 4

      [萌新博主]

      @小毒物 freebuf上有别人翻译的 ==