Install Burpsuite’s or any CA certificate to system store in Android 10 and 11.

Hi readers, if you like to understand what is CA(Certificate Authority) and how client-server interact please watch this video https://www.youtube.com/watch?v=T4Df5_cojAs. You will get a basic idea how HTTPS works. Otherwise if you know basic asymmetric(also known as public key) cryptography you are good to go.

Each device which uses SSL/TLS has a CA certificate store which contains public keys of all the trusted CAs(Firefox maintains its own store). Also there is something known as certificate chains(chain of trust) but this is out of scope of current topic.

In android there are two CA certificate stores User and System.

User store contains certificates installed by user installed apps like adguard, sslAnalyzer etc. or by user itself for intercepting Https traffic or for MITM.

System store contains the certificates of trusted CAs which comes preinstalled by the device manufacturers and are pretty much same in all the devices because number of Trusted CAs are limited on the internet.

What is the need to Install certificates in System Trust Store?

While testing or perfoming security analysis of android apps using a proxy tool such as Burp, Zap, mitmprox etc. All the apps by defaults do not trust the user trust store unless explicitly stated in the network security configuration of the app.

An example network-security-config.xml file which trusts the user trust store

It is good to check this configuration before attempting to bypass the certificate pinning or else you may get frustrated or may end up in a rabbit hole.

Even if a app does trust the user store in the configuration you may still have trouble proxying all the applications traffic. If the app uses the WebViews for loading any HTTPS web pages in the app they might not be loaded on the app. As the WebViews do not trust the user store even if the app does so.

Installing the certificate of proxy server in the system store will solve this issues.

First we need to copy the certificate in PEM format to internal storage of mobile phone. We will be installing burpsuite’s CA. To do these follow these simple steps:

  1. Export Burp CA certificate and Save it as burp.der. But it is encoded we need to convert it to PEM format.

2. Open the certificate. Convert it to base64 encoded PEM format. Save it as “burp.cer”. It should look like this.

3. Transfer this PEM certificate to internal storage.

Lets jump to the installation procedure:

Prerequisites: Rooted Android 10/11, Magisk and TWRP.

Method 1 using magisk (Tested on Android 10):

  1. Install Magisk module from https://github.com/NVISO-BE/MagiskTrustUserCerts/releases
  2. Transfer the “AlwaysTrustUserCerts.zip” to internal storage or directly download it on the device itself.
  3. Click install from Storage in magisk app, Choose zip of module to be installed and then reboot and check module is installed.
  4. Now make sure you have installed certificate in user store which you want to install to system store. (Note: you may need to rename it from “burp.cer” to “burp.crt” for installing it in User credential store)
  5. It should look something like this Fig. below.
  6. Now just reboot your mobile phone.
  7. Again check the system store for PortSwigger certificate and violla! our certificate is installed in system store.
  8. To remove the certificate just remove it from User store and reboot.

Method 2 using “tmpfs” Manual method (Tested on both Android10 and Android 11)(Credit: Snehal Baghel)

Please Note: Certificate installed by this method is not persistent. As we are not making any changes to /system partition in real. Android 10 and above does not allow to make changes to it. So we can not mount it as read/write. This is the core reason we have shifted to magisk from SuperSU. Magisk is installed in boot partition without touching /system. Read more about this @ https://www.xda-developers.com/magisk-vs-supersu/

  1. First we need to rename our certificate file to “<hash>.0” . For generating hash just run this command. Then rename “burp.cer” file to “9a5ba575.0”.

openssl x509 -inform PEM -subject_hash_old -in burp.cer | head -n -1

2. Connect your mobile with USB debugging enabled and make sure platform tools are installed to be able to use adb.

3. Superuser (Grant root permission to shell on your phone)

$ adb shell
$ su
# whoami
root

4. Create a separate temp directory, to hold the current certificates

mkdir -m 700 /wherever/you/want

5. Copy the existing certificates

cp /system/etc/security/cacerts/* /wherever/you/want/

6. Create an in-memory mount

mount -t tmpfs tmpfs /system/etc/security/cacerts

7. Copy the existing certs back into the tmpfs mount

mv /wherever/you/want/* /system/etc/security/cacerts/

8. Copy the new certificate, the cert file should be named in the hash.0 format.

mv /path/to/cert/hash.0 /system/etc/security/cacerts/ 

9. Update the perms & selinux context labels, so everything is as readable as before.

chown root:root /system/etc/security/cacerts/*
chmod 644 /system/etc/security/cacerts/*
chcon u:object_r:system_file:s0 /system/etc/security/cacerts/*

10. Check your System store for PortSwigger certificate. Don’t reboot!.

Method 3(might be risky) using adb within twrp (Tested on Android 10):

  1. Reboot to recovery (You need twrp to be installed, I have not tried on other ones).
  2. Mount /system partition in twrp.
  3. Connect usb to be able to use adb.
  4. Then transfer your hash.0 cert file to /system/etc/security/cacerts/ .
  5. At last just run these commands one by one:
    chown root:root /system/etc/security/cacerts/*
    chmod 644 /system/etc/security/cacerts/*
    chcon u:object_r:system_file:s0 /system/etc/security/cacerts/*
  6. Now your installed cert(hash.0) will remain even after reboot!.
  7. Please note location of installed certificate will be, I don’t know why but this was the location “/data/adb/modules/movecert/system/etc/security/cacerts/” (in my case atleast)

Thanks for reading!

Author: Prabhsimran (https://www.linkedin.com/in/pswalia2u/)

References:

https://gist.github.com/pwlin/8a0d01e6428b7a96e2eb

https://github.com/httptoolkit/httptoolkit-server/blob/master/src/interceptors/android/adb-commands.ts#L206

https://medium.com/hackers-secrets/adding-a-certificate-to-android-system-trust-store-ae8ca3519a85

https://docs.mitmproxy.org/stable/howto-install-system-trusted-ca-android/

Geek👾. Tries to understand how computers work. Would love to hear your suggestions and feedbacks. https://www.linkedin.com/in/pswalia2u/

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store