When performing the android pentesting, the penetration tester needs to install the burp suite certificate directly as a system certificate and trust it to intercept the traffic. This can be done till Android v6 but starting with Android 7/Nougat, android changed the default behavior of trusting user installed certificates. It is no longer possible to just install the Burp CA from the sdcard to start intercepting android application traffic. Therefore, apps will now only trust system level CAs.
There are 2 ways to bypass this:
Install the Burp CA as a system-level CA on the device (require a rooted device or root privileges).
Modify the manifest and repackage the app (does not require root privileges).
Install the Burp CA as a system-level CA on the device: Since before android Nougat and above the traditional way of installing the certificate does not work anymore. Trusted CAs for android are stored in a special format in /system/etc/security/cacerts. Having root privileges, it’s possible to write to this location and drop in the Burp CA.
Using Burp Suite, export the CA Certificate in DER format and saved it as cacert.der
Android wants the certificate to be in PEM format, and to have the filename equal to the subject_hash_old value appended with .0.
Note: if you are using OpenSSL <1.0, it’s actually just the subject_hash, not the “old” one
Use openssl to convert DER to PEM, then output the subject_hash_old and rename the file.
For example:
Now, copy the certificate to the device. Use adb as a ‘root’ to copy the certificate and remount it as writable.
Use adb shell and move the file to /system/etc/security/cacerts and chmod it to 644 mentioned in the below screenshot.
Then at last full reboot the device with either adb reboot or a power cycle/button.
After the device reboots, browsing to Settings -> Security -> Trusted Credentials. It will show the new “Portswigger CA” as a system trusted CA.
Now it’s possible to set up the proxy and start intercepting any and all app traffic with Burp.
Modifying and repackaging an app: To get around this, it involves:
Disassembling the APK
Adding a new XML resource to define a network security profile
Modifying AndroidManifest.xml
Repackaging and self-signing the APK
Follow the commands in the below screenshot to modify and repackage the application to install burp certificate.
Helpful resources: