Intercepting Android Application HTTPS traffic in Android 10 (Q) with Burp Suite and Magisk

Since the COVID-19 wave is going on and most people are working from home and locked in their homes. I am also one of them, I am working from home locked in my home 😁

This lockdown or quarantine gave me some free time to write this blog post. Many of my friends (Penetration Testers) and some readers asked me to write on how to intercept Android application HTTPS traffic for Android 7.0 and above. So, here it is.

Before we start let's get to the root cause of this post. Before Android 7.0 (Nougat) we were installing Burp Suite CA using normal way. The normal way where you push your Burp Suite CA to Android SD Card, install it and then start intercepting HTTP/HTTPS traffic in Burp Suite.

Now the issues is from Android 7.0 (Nougat) and later versions where google has implemented some security feature to reduce attack surface. User-installed certificate authorities (CA) are no longer trusted for apps targeting API Level 24+ except the application intentionally enables it. You can read more information here.

Let's come to the main point. Before we start, we need Rooted Android device running Android 7.0 or later with Magisk. I am using device running Android 10 (Android Q) with Magisk installed. Since Android 7.0 and onwards are ignoring user installed CA, we are going to install our Burp Suite CA in Android's system store at "/system/etc/security/cacerts/" as a Trusted CA with root user.

Initially I tried installing Burp Suite CA manually at "/system/etc/security/cacerts" but I was having issues running adb as a root user. Once I solved adb root issue then I was having issues remounting the file system. I tried many other ways but no luck, so I had to do this using Magisk. If I find any solution to do this manually then I will also make a tutorial on it.

Before we start, let's make sure that you have installed Burp Suite CA into your Android device using normal way. If you haven't then follow instructions below.

1. Start Burp Suite and go to Proxy > Options > Import / export CA certificates > Export Burp certificate in .cer format and save it. (For example cacert.cer) 
2. Push cacert.cer certificate in Android's /sdcard/
3. Go to mobile Settings and then "Install from device storage"
4. Navigate to the cacert.cer certificate you have stored in SD Card, select it and install it. That's it!

The Android renames and stores certificate using certificate's hash and adding .0 to the end. For example my cacert.cer certificate is stored as 9a5ba575.0. To verify that go to adb shell and become a root user by typing "su" and enter. Then go to "/data/misc/user/0/cacerts-added/" and there will be our installed Burp Suite CA.

As shown below I can go to my Android device and see my Burp Suite CA install at "/data/misc/user/0/cacerts-added/" as 9a5ba575.0

Below we can see that I am using Android 10 (Q)

Make sure that your Magisk and Magisk Manager both are up to date.

Now we need install "Magisk Trust User Certs" module in Magisk.

This module is developed by NVISO Labs. Click here and download latest release .zip file. 

Push downloaded zip file to your Android device's /sdcard/Download/ 

Open Magisk and then Go to Modules, click on Plus sign (+) and navigate to Download folder where we have stored MagiskTrustUserCerts module zip file.

Select the zip and it will be installed. 

Click on "Reboot" to activate the module. 

Now open Magisk and go to Modules to check "MagiskTrustUserCerts" module is installed.

That's it! This module will now add all user certificates to Android system trust store.

Now our Burp Suite CA (9a5ba575.0 in my case) which was installed at "/data/misc/user/0/cacerts-added/" as a normal user will be installed at "/system/etc/security/cacerts/" as a root user.

To verify that go to adb shell and become a root user by typing "su" and enter. Then go to "/system/etc/security/cacerts/" and search for our Burp Suite CA. (here 9a5ba575.0). We can see my certificate is install at "/system/etc/security/cacerts/".

You can check the same in mobile device by going to Settings and then look for "View Security Certificates" and you will find "PortSwigger" installed.

Now set the proxy in your Android device, open the application and you are all set to intercept android applications HTTPS traffic using in Burp Suite.

NOTE: If the application is using "SSL Pinning" then you might not see HTTPS traffic in Burp Suite. In such cases consider bypassing "SSL Pinning" using different methods available and then check if it's possible to intercept HTTPS traffic. 

Don't forget to share if you find this article useful 😊

Post a Comment