Monday 28 January 2013

Adding custom certificate to Android Trusted certificate store

Introduction

Android maintains a list of trusted certificates any deviance in the certificate would result in a error in connection. Below screenshot shows how the browser gives a popup when we set the Android device to forward the traffic to Burp Proxy instead of the actual server.


Once, the user clicks on “Continue”, the user can continue to use the application as per his requirement. However, in case of native applications there is no “popup” and the connection is directly rejected.
Solution: Add the proxy certificate to android trusted store.
How:
Step 1: Download the latest copy of bouncycastle lib from http://www.bouncycastle.org/latest_releases.html into a folder called “lib”. During the making of this document, the latest version of the lib was v1.47.

Step 2: Extract a copy of the current certificate file ie. “cacerts.bks” from the android device using:
adb pull /system/etc/security/cacerts.bks




Step 3:Download a copy of the Charles Proxy certificate from the Charles website http://charlesproxy.com/charles.crt

Step 4: Add the BouncyCastle library to your machines existing Java. Once that is complete, use the below command to add Charles certificate to the certificate store downloaded from the device and sign it using the BouncyCastle library jar 
sudo keytool --keystore cacerts.bks --storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath "bcprov-jdk15on-147.jar" --storepass "" --importcert --trustcacerts --alias newalias --file charles.crt


Step 5: Now, adb into the device and run the “mount” command to see where the “system” directory is mounted.
In our case, it was found to be mounted at “/dev/block/stl9”. Knowing this, remount the system directory in read/write mode so as to push the certificate store back on to the device. Then, run the command as “mount -o remount,rw -t yaffs2 /dev/block/stl9 /system” inside adb shell as root user.

Step 6: Then, change the permissions set on the certicate store to world writeable using “chmod 777 /system/etc/security/cacerts.bks” as root user and the push the new cacerts.bks into the device using “adb push cacerts.bks /system/etc/security/cacerts.bks

Step 7: Now, change the permissions back on the cacerts.bks file using “chmod 644 /system/etc/security/cacerts.bks” as root user.

Now, restart the device and after that you can see that all the traffic from the Android device can be intercepted on charles proxy without any issue.
Similar method can be applied to add Burp certificate on Android trusted certificate store.

References:

14 comments:

  1. Sometimes on windows in Step 4, I use the below command and it works well.

    keytool --keystore cacerts.bks --storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath "lib\bcprov-jdk15on-147.jar" --storepass "" --importcert --trustcacerts --alias newalias --file charles.crt

    ReplyDelete
  2. If you don't want the hassle of using keytool, alternatively you can make use of http://portecle.sourceforge.net/
    Steps:
    1) Get the Burp "root" certificate using the certificate export option.
    2) Load the default cacerts.bks file in it portecle.
    3) Choose the add trusted certificate import functionlity to inport the burp root certifcate into portecle.
    4) Save the generated file as cacerts.bks and upload it to /system/etc/security/cacerts.bks

    ReplyDelete
  3. Dinesh,

    I have followed your tutorial to add certificates to my HTC Nexus One phone's cacert.bks file.

    But after this step, the Android default browser closes with error

    E/AndroidRuntime( 1157): java.lang.NullPointerException
    E/AndroidRuntime( 1157): at android.net.http.CertificateChainValidator.doHandshakeAndValidateServerCertificates(CertificateChainValidator.java:
    194)
    E/AndroidRuntime( 1157): at android.net.http.HttpsConnection.openConnection(HttpsConnection.java:312)
    E/AndroidRuntime( 1157): at android.net.http.Connection.openHttpConnection(Connection.java:407)
    E/AndroidRuntime( 1157): at android.net.http.Connection.processRequests(Connection.java:260)
    E/AndroidRuntime( 1157): at android.net.http.ConnectionThread.run(ConnectionThread.java:134)
    W/ActivityManager( 182): Force finishing activity com.android.browser/.BrowserActivity

    Do you have any pointers for resolving this error?

    --
    Sunil
    esunilkumare@gmail.com

    ReplyDelete
  4. Tired of stress after strenuous school. Be entertained by the popular online games that are hot now slither.io

    ReplyDelete
  5. This is very useful information for me that says how seriously you need to use the data that appears in our access.

    ReplyDelete
  6. So, I repeated all mentioned steps on my telephone and I managed to add custom certificate to Android Trusted certificate store)) Thanks, Dinesh!

    ReplyDelete
  7. GB WhatsApp is a fundamental component form of the application. There are a lot more highlights which you can benefit in GB WhatsApp Plus.
    https://gbwhatsappplus.com/
    https://gbwhatsappplus.com/gb-whatsapp-plus-apk-download/
    Gbwhatsappplus

    ReplyDelete
  8. Thanks for sharing great information with us.Checkout reloadable debit card

    ReplyDelete
  9. This is a blog you can get useful information on office renovation
    make sure you can check it out and keep on visiting our blog.



    ReplyDelete
  10. Good web site you have here.. It’s difficult to find excellent writing like yours these days. I honestly appreciate people like you! Take care!!
    Net Worth Culture
    Joe Rogan Net Worth
    Mark Zuckerberg Net Worth
    Tom Cruise Net Worth

    ReplyDelete
  11. I appreciate several from the Information which has been composed, and especially the remarks posted I will visit once more. Find out today's Celebrity birthdays and discover who shares your birthday. We make it simple and entertaining to learn about celebrities.

    ReplyDelete