Pentest & Bug Bounty Resources and Techniques
  • Pentest & Bug Bounty Resources and Techniques
    • Introduction
    • Tests Checklist
    • OSINT
    • Communications Security
      • SSL/TLS
    • Networking
      • Subdomains Discovery
        • DNS & OSINT
        • DNS Brute force
          • Second DNS Brute-Force Round
      • Subdomain Takeover
      • Network Host Scan/Discovery
        • External/Internal
        • Internal only
      • Network Vulnerability Scanning
      • Network Hacking
      • Parsing
      • Reporting
    • Brute Force
      • Wordlists
      • Databases
      • SSH
    • Web
      • Endpoint Discovery
      • Infrastructure & Configuration
        • Headers
        • WAF Detection/ Evasion
      • Injection
        • GraphQL
        • Cross-Site Scripting (XSS)
        • SQL Injection
        • Payloads
      • SSRF & XXE
        • Labs & Resources
        • Tools
        • SVG SSRF Cheatsheet
        • XXE - XEE - XML External Entity
      • JWT Vulnerabilities (Json Web Tokens)
      • HTTP/S DoS
    • Mobile
      • Both
        • SAST
          • MobSF
        • DAST
          • Installing Frida and Objection
      • Android
        • Create a Lab
          • Rooting Android Emulator
          • Rooting Android Emulator Cheat Sheet
        • APK Certificates
        • SAST
          • APKs
            • Get Information from APK
            • GDA (GJoy Dex Analysizer)
            • Scanning APK for URIs, endpoints & secrets
            • Google Maps API Scanner
        • DAST
          • Rooting the Android Studio AVDs
          • non-Rooted devices
            • Bypass SSL Pinning - non-rooted devices
              • Method 1: apk-mitm
              • Instrumentation with Frida and Objection
                • Bypass SSL Pinning - Method 2: With Objection Explore
                • Bypass SSL Pinning - Method 3: With root_bypass.js
          • Rooted Devices
            • Run frida-server in the emulator or device
            • Inject Frida
            • Bypass SSL Pinning - rooted devices
              • Install Burp CA as a system-level CA on the device
      • iOS
        • SAST
          • Building a reverse iOS engineering environment for free
          • Test Vulnerabilities
  • Lets Practice
    • Virtual Machines
    • Vulnerable App
    • Guided Labs
    • CTFs
  • Group 1
    • AI
Powered by GitBook
On this page
  • Export and convert the Burp CA
  • Copy the certificate to the device
  1. Pentest & Bug Bounty Resources and Techniques
  2. Mobile
  3. Android
  4. DAST
  5. Rooted Devices
  6. Bypass SSL Pinning - rooted devices

Install Burp CA as a system-level CA on the device

It does require a rooted device

PreviousBypass SSL Pinning - rooted devicesNextiOS

Last updated 3 years ago

Since the "traditional" way of installing a user certificate doesn’t work anymore in Nougat and above, the easiest solution is to install the Burp CA to the system trusted certificates. You can see all the system CAs that are bundled with an Android device by going to Settings -> Security -> Trusted Credentials and viewing system CAs. You’ll see the similar CAs you’d see in a browser bundle.

Trusted CAs for Android are stored in a special format in /system/etc/security/cacerts. If you have root privileges, it's possible to write to this location and drop in the Burp CA (after some modification).

Export and convert the Burp CA

The first step is to get the Burp CA in the right format. Using Burp Suite, export the CA Certificate in DER format and save it as cacert.der

Android wants the certificate to be in PEM format, and to have the filename equal to the subject_hash_old value appended with .0.

Note: if you are using OpenSSL <1.0, it’s actually just the subject_hash, not the “old” one

Use openssl to convert DER to PEM, then output the subject_hash_old and rename the file:

openssl x509 -inform DER -in cacert.der -out cacert.pem
openssl x509 -inform PEM -subject_hash_old -in cacert.pem |head -1
mv cacert.pem <hash>.0

Copy the certificate to the device

It can be using adb to copy the certificate over, but since it has to be copied to the /system filesystem, you have to remount it as writable. As root, this is easy with adb remount.

adb -s <DEVICE ID> root
adb -s <DEVICE ID> remount
adb -s <DEVICE ID> push <cert>.0 /sdcard/

If you have more than one device connected you have to use the -s <DEVICE ID> to point the commands to that specific device.

Sometimes you have to use /sdcard instead of /sdcard/ (removing the / at the end) because could have conflict. Of course you can use another path if is more suitable for you.

Then just drop into a shell (adb shell) and move the file to /system/etc/security/cacerts . After that change the permissions to 644:

adb -s <DEVICE ID> shell
mv /sdcard/<cert>.0 /system/etc/security/cacerts/
chmod 644 /system/etc/security/cacerts/<cert>.0

Lastly, a full reboot is needed in the device with either adb reboot or a power cycle.

After the device reboots, browsing to Settings -> Security -> Trusted Credentials should show the new “Portswigger CA” as a system trusted CA.

Now it’s possible to set up the proxy and start intercepting any and all app traffic with Burp :)

Exporting CA cert in Burp
Converting DER to PEM
Remounting adb as root
Pushing certificate from PC to mobile phone