hacktobeer's website
Table of contents

Load System CA Certificate in Android Emulator

Introduction

To capture traffic (with e.g. Burp) from certain Android apps you need to load a System CA Certificate as those apps to not support a User CA Certificate. This blog post is mainly for my own notes on how to install a System CA Certificate on Androind Emulator running a non-Google Play Android image version. You might find it useful as well.

Configure Burp

Startup Burp and check the Proxy settings. Add a new listener so Burp listens on 0.0.0.0 port 8000.

Download the Burp CA certificate from localhost:8000, it will download cacert.der which we will load into the Android System CA Store.

Install Android Emulator

Install Android Studio which includes the Android Emulator so you can spin-up virtual Android Phones.

Install Android SDK

Install the Android SDK Platform Tools which contains adb which we will use to connect to the virtual phone.

Create a new Android virtual device

Follow these instructions to install a new virtual Android Phone. Choose a hardware profile that does not have support for “Play Store”.

Start emulator

Find out where the emulator is installed and start the virtual phone. On a Mac it’s in ~/Library/Android/sdk/emulator/emulator.

$ ~/Library/Android/sdk/emulator/emulator -list-avds
$ ~/Library/Android/sdk/emulator/emulator -avd [virtual_machine_name] -writable-system

Enable developer mode

There are different ways to enable developer mode on the phone.

From the emulator menu in Android Studio:

  • Go to Settings -> About emulated device
  • Click Build number 7 times (or till it says that you’re a developer now).
  • Go back and go to System -> Advanced -> Developer options

Using adb with 2 possible ways:

$ adb shell settings put global development_settings_enabled 1

$ adb shell input keyevent 82

Load CA certificate

$ hashed_name=`openssl x509 -inform DER -subject_hash_old -in cacert.der | head -1` && cp cacert.der $hashed_name.0
$ adb root
$ adb shell avbctl disable-verification
$ adb reboot
$ adb root
$ adb remount
$ adb reboot
$ adb root
$ adb remount
$ adb push $hashed_name.0 /system/etc/security/cacerts
$ adb shell chmod 664 /system/etc/security/cacerts/$hashed_name.0
$ adb reboot

In your virtual Android phone go to Settings → Security → Advanced → Encryption & credentials → Trusted credentialsand check that the certificate is there (Burp CA name will be Portswigger).

Configure phone to use proxy

  1. On your Android device, go to the network and internet settings.
  2. Open the network details for the Wi-Fi network that you want to use for testing.
  3. Enter edit mode.
  4. In the advanced settings, choose the option to configure a proxy manually.
  5. Set the Proxy hostname to the IP address of the machine you’re using to run your proxy.
  6. Set the Proxy port to the port you assigned to the new proxy listener you configured in your proxy. For more information, see Configure a dedicated proxy listener in your proxy.
  7. Save your changes and then connect to the Wi-Fi network. Your device’s web traffic is now proxied through your Proxy.

In some case my Android emulated device did not respect the proxy settings and I have used the app Drony to configure and force the proxy settings.

Verify traffic in proxy

Verify in your proxy you can see the intercepted traffic. You should have seen plenty of default traffic from the virtual phone once you configured the system proxies.

Install the app

Make sure you can install APKs downloaded. Depending on the Android version you need to enable this in:

Settings > Apps > Special app access > Install unknown apps
Settings > Apps & notifications > Advanced > Special app access > Install unknown apps
Settings > Apps and notifications
Settings > Security

You can install the app you want by downloading the APK online and importing it into the emulator. Only download APKs from trusted sources!

Upload the APK to your emulated phone through the Android Studio Device Explorer or through adb push [app-name.apk] /sdcard/Download/. Navigate on the phone to the Downloads folder with the File Explorer and install the app.