Install Burp CA as a system-level CA on the device

It does require a rooted device

Since the "traditional" way of installing a user certificate doesn’t work anymore in Nougat and above, the easiest solution is to install the Burp CA to the system trusted certificates. You can see all the system CAs that are bundled with an Android device by going to Settings -> Security -> Trusted Credentials and viewing system CAs. You’ll see the similar CAs you’d see in a browser bundle.

Trusted CAs for Android are stored in a special format in /system/etc/security/cacerts. If you have root privileges, it's possible to write to this location and drop in the Burp CA (after some modification).

Export and convert the Burp CA

The first step is to get the Burp CA in the right format. Using Burp Suite, export the CA Certificate in DER format and save it as cacert.der

Exporting CA cert in Burp

Android wants the certificate to be in PEM format, and to have the filename equal to the subject_hash_old value appended with .0.

Note: if you are using OpenSSL <1.0, it’s actually just the subject_hash, not the “old” one

Use openssl to convert DER to PEM, then output the subject_hash_old and rename the file:

openssl x509 -inform DER -in cacert.der -out cacert.pem
openssl x509 -inform PEM -subject_hash_old -in cacert.pem |head -1
mv cacert.pem <hash>.0
Converting DER to PEM

Copy the certificate to the device

It can be using adb to copy the certificate over, but since it has to be copied to the /system filesystem, you have to remount it as writable. As root, this is easy with adb remount.

adb -s <DEVICE ID> root
adb -s <DEVICE ID> remount
Remounting adb as root
adb -s <DEVICE ID> push <cert>.0 /sdcard/
Pushing certificate from PC to mobile phone

If you have more than one device connected you have to use the -s <DEVICE ID> to point the commands to that specific device.

Sometimes you have to use /sdcard instead of /sdcard/ (removing the / at the end) because could have conflict. Of course you can use another path if is more suitable for you.

Then just drop into a shell (adb shell) and move the file to /system/etc/security/cacerts . After that change the permissions to 644:

adb -s <DEVICE ID> shell
mv /sdcard/<cert>.0 /system/etc/security/cacerts/
chmod 644 /system/etc/security/cacerts/<cert>.0

Lastly, a full reboot is needed in the device with either adb reboot or a power cycle.

After the device reboots, browsing to Settings -> Security -> Trusted Credentials should show the new “Portswigger CA” as a system trusted CA.

Now it’s possible to set up the proxy and start intercepting any and all app traffic with Burp :)

PreviousBypass SSL Pinning - rooted devicesNextiOS

Last updated