Android Security

To learn Android App Sec, please go to OWASP-MSTG project. I'm just writing about my own finding stuffs.

Setting up tools

These tools will be your hand toys to play with Android Pentest Apps, from scripting tools to web tools and so on. I would like to give out my often used ones first, others will be introduced in the end.


Installing sqlite3

  1. Go to Play store --> search for Titanium Backup & install it

  2. $ adb shell

  3. $ su

  4. $ cp /data/data/com.keramidas.TitaniumBackup/files/sqlite3 /system/xbin/

  5. $ cd /system/xbin/

  6. $ chmod 755 sqlite3

  7. $ adbd reboot (just in case)

  8. Enjoy the result

SSL Pinning Burp Suite

Since the "traditional" way of installing a user certificate doesn't work anymore in Nougat and above, for me the easiest solution is to install the Burp CA to the system trusted certificates. You can see all the system CAs that are bundled with an Android device by going to Settings -> Security -> Trusted Credentials and viewing system CAs. You'll see the similar CAs you'd see in a browser bundle.

Trusted CAs for Android are stored in a special format in /system/etc/security/cacerts. If we have root privileges, it's possible to write to this location and drop in the Burp CA (after some modification).

Remove all existed PortSigger Cert (if not, the whole thing does not work)

Export and convert the Burp CA The first step is to get the Burp CA in the right format. Using Burp Suite, export the CA Certificate in DER format. I saved it as cacert.der

Export Burp CA

Android wants the certificate to be in PEM format, and to have the filename equal to the subject_hash_old value appended with .0.

Note: if you are using OpenSSL <1.0, it's actually just the subject_hash, not the "old" one

Use openssl to convert DER to PEM, then output the subject_hash_old and rename the file:

openssl x509 -inform DER -in cacert.der -out cacert.pem
openssl x509 -inform PEM -subject_hash_old -in cacert.pem |head -1
mv cacert.pem <hash>.0

For example, with my certificate:

Converting Cert

Copy the certificate to the device We can use adb to copy the certificate over, but since it has to be copied to the /system filesystem, we have to remount it as writable. As root, this is easy with adb remount.

adb push <cert>.0 /sdcard/
mount -o rw,remount /system
mount -o ro,remount /system

The just drop into a shell (adb shell) and move the file to /system/etc/security/cacerts and chmod it to 644:

mv /sdcard/<cert>.0 /system/etc/security/cacerts/
chmod 644 /system/etc/security/cacerts/<cert>.0

Lastly, we have to full reboot the device with either adb reboot or a power cycle.

Copy over the cert

After the device reboots, browsing to Settings -> Security -> Trusted Credentials should show the new "Portswigger CA" as a system trusted CA.

Portswigger Trusted

Now it's possible to set up the proxy and start intecepting any and all app traffic with Burp :)