CorSecure

Security, Hacking, Making, and Tech

Using Burp Suite with an Android Emulator

If you have ever tested a web application, Burp Suite was probably a key part of your toolkit, and it can be just as useful during mobile pentesting for testing the API endpoints that the mobile applications are using. Several years ago, using Burp Suite with an Android device was not much more complicated than it is for a web application. Typically, you would export a certificate from Burp Suite, upload that certificate to the mobile device, and install it as a user certificate. However, Android 7.0 (aka Nougat) introduced a security update that would not trust user certificates by default. So, in order to get that Burp Suite certificate installed on the Android device, we have to install it as a system certificate, which takes a few extra steps.

Note: A lot of the inspiration for this blog post came from ropnop’s great blog post from 2018, which can be found here: https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/. I will go into a little more detail about how to specifically use Burp Suite with an Android Studio emulator though.

Exporting and Configuring the Certificate

The first thing we need to do is export our certificate from Burp Suite in DER format. To do this, go to the Proxy settings in Burp Suite and click Import / Export CA Certificate. This will open a new window with multiple options for exporting or importing a certificate. In this window, select Export as Certificate in DER Format, and save that file with a .der file extension. For this example, I’m going to save mine as burpcert.der.

Prior to Android 7.0, we could just take this certificate, upload it to our Android emulator, and install it as a user certificate. If you are using a modern Android device though, we need to go through a few more steps to install this certificate as a system-level certificate.

To do this, we are going to need to have OpenSSL installed on our system. For my example, I am going to be running these commands on an Ubuntu system. If you are using MacOS, these commands should be the same. If you are using Windows, most of the commands should be pretty similar, but you will most likely have to do some extra work to get OpenSSL installed and configured on your system.

Run the following commands to properly format the certificate as a PEM file and rename the file:

openssl x509 -inform DER -in burpcert.der -out burpcert.pem
openssl x509 -inform PEM -subject_hash_old -in burpcert.pem |head -1

Note: The second command will most likely return the hash 9a5ba575. Almost every time I have done this, it has resulted in that same hash, and I suspect that the only times I have gotten a different hash was due to a mistake on my part.

Once you have that hash from running the second command above, you now need to rename the PEM file using that hash.

mv burpcert.pem <hash>.0

Installing the Certificate

Now that we have our certificate file properly formatted and correctly named, next we need to install the certificate onto our emulator as a system certificate. To do this, we’re going to have to remount the /system directory as writable. We can do this with adb, but we will have to run adb as root. Also, for an Android Studio emulator, we will need to launch that emulator as a writable system.

In my previous blog post Building an Android Emulator with Android Studio, I mentioned that it is valuable to know how to launch your emulator from the command line because there may be times when you need to launch it with command line options. This is one of those times. In order to remount the /system directory, we’re going to have to launch our emulator with the -writable-system flag. The command to launch the emulator with this option is below:

./emulator -avd <AVD name> -writable-system

Once your emulator launches, you can remount the file system with the following commands:

adb devices
adb root
adb remount

Note: If the remount fails, check the Troubleshooting section at the bottom of the page.

Once the file system is remounted, we need to upload the certificate to the emulator.  Do this with the following command:

adb push <certificate> /sdcard/

Next we need to drop into a shell and move the certificate to the proper directory and give it the proper permissions. To drop into a shell, simply run the command adb shell. After you are in the shell, run the following commands:

mv /sdcard/<certificate file> /system/etc/security/cacerts/
chmod 644 /system/etc/security/cacerts/<certificate>

Note: If moving the file to the /system directory fails, check the Troubleshooting section at the bottom of the page.

After those commands run successfully, we just need to reboot our emulator by running adb reboot. Alternatively, if you are still in the adb shell, you can simply run reboot. Once the emulator reboots, we can verify that the certificate was properly installed by checking the trusted credentials under the security settings menu inside the emulator. If we see a certificate under System that is listed as PortSwigger, then we know that the certificate was installed correctly.

Setting the Proxy

After installing the certificate on our emulator, the only thing left to do is to point our emulator to our Burp Suite proxy listener. There are a few different ways to set the proxy in an Android Studio emulator. Feel free to use whatever method you prefer.

Option #1

The simplest method would be to use the Android Studio proxy settings. These settings can be accessed by clicking on the three dots on the sidebar of the emulator, selecting Settings at the bottom of the menu, and then clicking Proxy at the top of the window. In this window, choose the Manual proxy configuration option and enter 127.0.0.1 as the hostname and 8080 as the port number. Then click Apply.

Option #2

A second method, which is actually more similar to the method that would be used for a physical Android device, involves using the Android wireless settings inside the emulator. To do this, we have to access the Wi-Fi settings from the Android settings menu. We should see a wireless network listed as AndroidWifi, which is the Android Studio emulated wireless network.

Click on the cog wheel next to this network to access the network details, and we can access the proxy settings by clicking on the pencil icon in the top right corner of this details screen.

After clicking on the pencil, we can access the advanced options and set the proxy to manual, which will open the proxy options. In the proxy menu, set the proxy hostname to 10.0.2.2 and the proxy port to 8080.

Note: 10.0.2.2 is an alias network address that is created by Android Studio and corresponds to the localhost of the host machine, meaning that the 10.0.2.2 address on the emulator corresponds to the 127.0.0.1 listener in our Burp Suite proxy.

Regardless of which option is used, we should now be able to start generating some web traffic by accessing some websites in the web browser, and we should see that web traffic being captured in our Burp Suite proxy.

You may notice that some traffic from certain applications may not be working properly while the proxy is turned on even after going through all of these steps to install the Burp Suite certificate on our device. This may be due to SSL pinning, which is a defensive mechanism that some developers will enable to help defend their apps from man-in-the-middle attacks. This pinning mechanism can be bypassed, but I will cover that in a future blog entry.

Troubleshooting

If adb remount fails, you may be able to run the following command instead:

adb shell "su 0 mount -o rw,remount /system"

If you are unable to move the file to /system, try running adb disable-verity, rebooting the device, and then remount again.

If you’re interested in more content about security, hacking, making, and tech, check out my YouTube channel at https://youtube.com/@CorSecure.

I have two videos on this topic on my channel right now!

,
, ,

Posted by:

corsecure

Discover more from CorSecure

Subscribe now to keep reading and get access to the full archive.

Continue reading