Introduction
Android maintains a list of trusted certificates any deviance in the certificate would result in a error in connection. Below screenshot shows how the browser gives a popup when we set the Android device to forward the traffic to Burp Proxy instead of the actual server.
Once,
the user clicks on “Continue”, the user can continue to use the
application as per his requirement. However, in case of native
applications there is no “popup” and the connection is directly
rejected.
References:
Android maintains a list of trusted certificates any deviance in the certificate would result in a error in connection. Below screenshot shows how the browser gives a popup when we set the Android device to forward the traffic to Burp Proxy instead of the actual server.
Solution:
Add the proxy certificate to android trusted store.
How:
Step 1:
Download the latest copy of bouncycastle lib from
http://www.bouncycastle.org/latest_releases.html
into a folder called “lib”. During the making of this document,
the latest version of the lib was v1.47.
Step 2:
Extract a copy of the current certificate file ie. “cacerts.bks”
from the android device using:
adb
pull /system/etc/security/cacerts.bks
Step 3:Download a copy of the Charles Proxy
certificate from the Charles website
http://charlesproxy.com/charles.crt
Step 4: Add the BouncyCastle library to your
machines existing Java. Once that is complete, use the below command
to add Charles certificate to the certificate store downloaded from
the device and sign it using the BouncyCastle library jar
sudo keytool --keystore
cacerts.bks --storetype BKS -provider
org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath
"bcprov-jdk15on-147.jar" --storepass ""
--importcert --trustcacerts --alias newalias --file charles.crt
Step 5: Now,
adb into the device and run the “mount” command to see where the
“system” directory is mounted.
In our
case, it was found to be mounted at “/dev/block/stl9”. Knowing
this, remount the system directory in read/write mode so as to push
the certificate store back on to the device. Then, run the command as
“mount -o remount,rw -t yaffs2 /dev/block/stl9 /system”
inside adb shell as root user.
Step 6: Then,
change the permissions set on the certicate store to world writeable
using “chmod 777 /system/etc/security/cacerts.bks” as root
user and the push the new cacerts.bks into the device using “adb
push cacerts.bks /system/etc/security/cacerts.bks”
Step 7: Now,
change the permissions back on the cacerts.bks file using “chmod
644 /system/etc/security/cacerts.bks” as root user.
Now,
restart the device and after that you can see that all the traffic
from the Android device can be intercepted on charles proxy without
any issue.
Similar
method can be applied to add Burp certificate on Android trusted
certificate store.
References:
Sometimes on windows in Step 4, I use the below command and it works well.
ReplyDeletekeytool --keystore cacerts.bks --storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath "lib\bcprov-jdk15on-147.jar" --storepass "" --importcert --trustcacerts --alias newalias --file charles.crt
If you don't want the hassle of using keytool, alternatively you can make use of http://portecle.sourceforge.net/
ReplyDeleteSteps:
1) Get the Burp "root" certificate using the certificate export option.
2) Load the default cacerts.bks file in it portecle.
3) Choose the add trusted certificate import functionlity to inport the burp root certifcate into portecle.
4) Save the generated file as cacerts.bks and upload it to /system/etc/security/cacerts.bks
Dinesh,
ReplyDeleteI have followed your tutorial to add certificates to my HTC Nexus One phone's cacert.bks file.
But after this step, the Android default browser closes with error
E/AndroidRuntime( 1157): java.lang.NullPointerException
E/AndroidRuntime( 1157): at android.net.http.CertificateChainValidator.doHandshakeAndValidateServerCertificates(CertificateChainValidator.java:
194)
E/AndroidRuntime( 1157): at android.net.http.HttpsConnection.openConnection(HttpsConnection.java:312)
E/AndroidRuntime( 1157): at android.net.http.Connection.openHttpConnection(Connection.java:407)
E/AndroidRuntime( 1157): at android.net.http.Connection.processRequests(Connection.java:260)
E/AndroidRuntime( 1157): at android.net.http.ConnectionThread.run(ConnectionThread.java:134)
W/ActivityManager( 182): Force finishing activity com.android.browser/.BrowserActivity
Do you have any pointers for resolving this error?
--
Sunil
esunilkumare@gmail.com
Tired of stress after strenuous school. Be entertained by the popular online games that are hot now slither.io
ReplyDeleteThis is very useful information for me that says how seriously you need to use the data that appears in our access.
ReplyDeleteSo, I repeated all mentioned steps on my telephone and I managed to add custom certificate to Android Trusted certificate store)) Thanks, Dinesh!
ReplyDeleteGB WhatsApp is a fundamental component form of the application. There are a lot more highlights which you can benefit in GB WhatsApp Plus.
ReplyDeletehttps://gbwhatsappplus.com/
https://gbwhatsappplus.com/gb-whatsapp-plus-apk-download/
Gbwhatsappplus
Thanks for sharing great information with us.Checkout reloadable debit card
ReplyDeleteThis is a blog you can get useful information on office renovation
ReplyDeletemake sure you can check it out and keep on visiting our blog.
Good web site you have here.. It’s difficult to find excellent writing like yours these days. I honestly appreciate people like you! Take care!!
ReplyDeleteNet Worth Culture
Joe Rogan Net Worth
Mark Zuckerberg Net Worth
Tom Cruise Net Worth
I appreciate several from the Information which has been composed, and especially the remarks posted I will visit once more. Find out today's Celebrity birthdays and discover who shares your birthday. We make it simple and entertaining to learn about celebrities.
ReplyDeleteNox app
ReplyDeleteOpen DLL files
ReplyDeleteNice post. Also, check this call of duty apk data
ReplyDelete