Monday, 28 January 2013

Adding custom certificate to Android Trusted certificate store

Introduction

Android maintains a list of trusted certificates any deviance in the certificate would result in a error in connection. Below screenshot shows how the browser gives a popup when we set the Android device to forward the traffic to Burp Proxy instead of the actual server.


Once, the user clicks on “Continue”, the user can continue to use the application as per his requirement. However, in case of native applications there is no “popup” and the connection is directly rejected.
Solution: Add the proxy certificate to android trusted store.
How:
Step 1: Download the latest copy of bouncycastle lib from http://www.bouncycastle.org/latest_releases.html into a folder called “lib”. During the making of this document, the latest version of the lib was v1.47.

Step 2: Extract a copy of the current certificate file ie. “cacerts.bks” from the android device using:
adb pull /system/etc/security/cacerts.bks




Step 3:Download a copy of the Charles Proxy certificate from the Charles website http://charlesproxy.com/charles.crt

Step 4: Add the BouncyCastle library to your machines existing Java. Once that is complete, use the below command to add Charles certificate to the certificate store downloaded from the device and sign it using the BouncyCastle library jar 
sudo keytool --keystore cacerts.bks --storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath "bcprov-jdk15on-147.jar" --storepass "" --importcert --trustcacerts --alias newalias --file charles.crt


Step 5: Now, adb into the device and run the “mount” command to see where the “system” directory is mounted.
In our case, it was found to be mounted at “/dev/block/stl9”. Knowing this, remount the system directory in read/write mode so as to push the certificate store back on to the device. Then, run the command as “mount -o remount,rw -t yaffs2 /dev/block/stl9 /system” inside adb shell as root user.

Step 6: Then, change the permissions set on the certicate store to world writeable using “chmod 777 /system/etc/security/cacerts.bks” as root user and the push the new cacerts.bks into the device using “adb push cacerts.bks /system/etc/security/cacerts.bks

Step 7: Now, change the permissions back on the cacerts.bks file using “chmod 644 /system/etc/security/cacerts.bks” as root user.

Now, restart the device and after that you can see that all the traffic from the Android device can be intercepted on charles proxy without any issue.
Similar method can be applied to add Burp certificate on Android trusted certificate store.

References:

5 comments:

  1. Sometimes on windows in Step 4, I use the below command and it works well.

    keytool --keystore cacerts.bks --storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath "lib\bcprov-jdk15on-147.jar" --storepass "" --importcert --trustcacerts --alias newalias --file charles.crt

    ReplyDelete
  2. If you don't want the hassle of using keytool, alternatively you can make use of http://portecle.sourceforge.net/
    Steps:
    1) Get the Burp "root" certificate using the certificate export option.
    2) Load the default cacerts.bks file in it portecle.
    3) Choose the add trusted certificate import functionlity to inport the burp root certifcate into portecle.
    4) Save the generated file as cacerts.bks and upload it to /system/etc/security/cacerts.bks

    ReplyDelete
  3. Dinesh,

    I have followed your tutorial to add certificates to my HTC Nexus One phone's cacert.bks file.

    But after this step, the Android default browser closes with error

    E/AndroidRuntime( 1157): java.lang.NullPointerException
    E/AndroidRuntime( 1157): at android.net.http.CertificateChainValidator.doHandshakeAndValidateServerCertificates(CertificateChainValidator.java:
    194)
    E/AndroidRuntime( 1157): at android.net.http.HttpsConnection.openConnection(HttpsConnection.java:312)
    E/AndroidRuntime( 1157): at android.net.http.Connection.openHttpConnection(Connection.java:407)
    E/AndroidRuntime( 1157): at android.net.http.Connection.processRequests(Connection.java:260)
    E/AndroidRuntime( 1157): at android.net.http.ConnectionThread.run(ConnectionThread.java:134)
    W/ActivityManager( 182): Force finishing activity com.android.browser/.BrowserActivity

    Do you have any pointers for resolving this error?

    --
    Sunil
    esunilkumare@gmail.com

    ReplyDelete
  4. When you're tired, you want to relax after a stressful working hours, you need to have time to take care of the kids active.
    Please visit our website and play exciting flash games.
    Thanks you for sharing!
    Friv 4

    ReplyDelete
  5. Tired of stress after strenuous school. Be entertained by the popular online games that are hot now slither.io

    ReplyDelete