-
-
Save sengkyaut/3fcdba9600dedeab9ed548a6d93e4e20 to your computer and use it in GitHub Desktop.
| https://code.google.com/p/android/issues/detail?id=32696#c5 | |
| If you have a certificate that is not | |
| trusted by Android, when you add it, it goes in the personal cert store. | |
| When you add a cert in this personal cert store, the system requires a | |
| higher security level to unlock the device. But if you manage to add your | |
| cert to the system store then you don't have this requirement. Obviously, | |
| root is required to add a certificate to the system store, but it is quiet | |
| easy. | |
| Here is how to do it : | |
| 1 - add your cert normally, it will be stored in your personal store and | |
| android will ask you a pin/password... Proceed | |
| 2 - With a file manager with root capabilities, browse files | |
| in /data/misc/keychain/cacerts-added. You should see a file here, it's the | |
| certificate you have added at step 1. | |
| 3 - Move this file to system/etc/security/cacerts (you will need to mount | |
| the system partition r/w) | |
| 4 - Reboot the phone | |
| 5 - You are now able to clear the pin/password you have set to unlock the | |
| device. | |
| I Think that this will only work for Root or Intermediate CA. | |
| I got the idea by reading this : | |
| http://nelenkov.blogspot.fr/2011/12/ics-trust-store-implementation.html |
ls -la /data/misc/user/0/cacerts-added/
adb remount
mycert=9a5ba575.0
mv /data/misc/user/0/cacerts-added/$mycert /system/etc/security/cacerts/
chmod 644 /system/etc/security/cacerts/$mycert
chown root:root /system/etc/security/cacerts/$mycert
Check android cpu via adb
adb shell getprop ro.product.cpu.abi
adb shell getprop ro.product.cpu.abilist
adb shell '/data/local/tmp/frida-server-15.2.2-android-x86 &'
To do so:
-
Export your Burp Certificate
Proxy > Options > CA Certificate > Export in DER format -
Convert it to PEM
openssl x509 -inform der -in cacert.der -out burp.pem -
Download it on the device
-
Use Certificate Installer to install the certificate
The Android app can be found here -
You can navigate the browser and search for http://burp/, here you're able to download the certificate, then rename it to .crt & install it
-
Additional for Android Android 7.0 (Nougat) and above (requeires root access):
rename certificate:
mv burp.pem $(openssl x509 -inform PEM -subject_hash_old -in burp.pem | head -1)".0"
and move the result file to /system/etc/security/cacerts/ (for example, using Total Commander).
So I recently needed to do this on an emulated android device to sniff traffic with mitmproxy. For anyone who stumbles on this in the future, it worked with a few modifications!
1 - When you create the AVD you'll have a choice between "(Google Play)" and "(Google APIs)" in the Target (android version). You must choose "(Android APIs)" or you will not be able to get adb root access.
2 - Do not launch the emulator from Android Studio, instead you'll want to launch it from the command line so you can pass the -writable-system flag to it.
Go to your AndroidStudio/Sdk/emulator folder and run: emulator.exe -list-avds and note the one you created in Step 1. For example, mine was Pixel_2_API_28.
Launch it with emulator.exe -avd Pixel_2_API_28 -writable-system
3 - Remount the system partition as writable
adb root
adb remount
4 - Install the cert as normal
5 - Move the cert. Replace "cert.0" with whatever the filename is. eg c7451f0d.0
adb ls /data/misc/user/0/cacerts-added
adb pull /data/misc/user/0/cacerts-added/cert.0
adb push cert.0 /system/etc/security/cacerts/
6 - Now go remove the user cert you installed in Step 4.