# Android Security

## Setting up tools

These tools will be your hand toys to play with Android Pentest Apps, from scripting tools to web tools and so on. I would like to give out my often used ones first, others will be introduced in the end. 

ADB

**Installing sqlite3** 

1. Go to Play store --> search for `Titanium Backup` & install it
2. `$ adb shell`
3. `$ su`
4. `$ cp /data/data/com.keramidas.TitaniumBackup/files/sqlite3 /system/xbin/`
5. `$ cd /system/xbin/`
6. `$ chmod 755 sqlite3`
7. `$ adbd reboot` (just in case)
8. Enjoy the result

## SSL Pinning Burp Suite

Since the "traditional" way of installing a user certificate doesn't work anymore in Nougat and above, for me the easiest solution is to install the Burp CA to the system trusted certificates. You can see all the system CAs that are bundled with an Android device by going to *Settings -> Security -> Trusted Credentials* and viewing system CAs. You'll see the similar CAs you'd see in a browser bundle.

Trusted CAs for Android are stored in a special format in `/system/etc/security/cacerts`. If we have root privileges, it's possible to write to this location and drop in the Burp CA (after some modification).

{% hint style="info" %}
Remove all existed PortSigger Cert (if not, the whole thing does not work)
{% endhint %}

**Export and convert the Burp CA**\
The first step is to get the Burp CA in the right format. Using Burp Suite, export the CA Certificate in DER format. I saved it as `cacert.der`

![Export Burp CA](https://blog.ropnop.com/content/images/2018/01/export_burp_ca.png)

Android wants the certificate to be in PEM format, and to have the filename equal to the `subject_hash_old` value appended with `.0`.

*Note: if you are using OpenSSL <1.0, it's actually just the `subject_hash`, not the "old" one*

Use `openssl` to convert DER to PEM, then output the `subject_hash_old` and rename the file:

```
openssl x509 -inform DER -in cacert.der -out cacert.pem  
openssl x509 -inform PEM -subject_hash_old -in cacert.pem |head -1  
mv cacert.pem <hash>.0  
```

For example, with my certificate:

![Converting Cert](https://blog.ropnop.com/content/images/2018/01/openssl_convert.png)

**Copy the certificate to the device**\
We can use `adb` to copy the certificate over, but since it has to be copied to the `/system` filesystem, we have to remount it as writable. As root, this is easy with `adb remount`.

```
 adb push <cert>.0 /sdcard/
 mount -o rw,remount /system
 mount -o ro,remount /system  
```

The just drop into a shell (`adb shell`) and move the file to `/system/etc/security/cacerts` and chmod it to 644:

```
mv /sdcard/<cert>.0 /system/etc/security/cacerts/  
chmod 644 /system/etc/security/cacerts/<cert>.0  
```

Lastly, we have to full reboot the device with either `adb reboot` or a power cycle.

![Copy over the cert](https://blog.ropnop.com/content/images/2018/01/copy_cert.png)

After the device reboots, browsing to *Settings -> Security -> Trusted Credentials* should show the new "Portswigger CA" as a system trusted CA.

![Portswigger Trusted](https://blog.ropnop.com/content/images/2018/01/portswigger_system_ca.png)

Now it's possible to set up the proxy and start intecepting any and all app traffic with Burp :)

Ref: <https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://enderphan.kubertu.com/mobile-security/android-security.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.