Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about how to correctly configure Burp Suite in Android Nougat. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

When I was testing a new Android app, I encountered some problems with Burp Suite not working properly. I spent the whole afternoon trying to solve this problem and decided to share my solution.

Background

I have done a lot of Android-related tests on Genymotion VM or my old version of Nexus Tablet. I've always followed Portswigger's instructions to run Burp Suite locally, install User Cert, and configure a WiFi agent.

However, when I tested this particular app (which requires API level 24 (Android 7. 0-"Nougat"), I suddenly found that Burp was not working properly. I reviewed my configuration steps and found nothing missing, but I only saw a "connection reset" error in Burp:

After several hours of tossing and turning, I finally found out what the problem was. Before going any further, I would like to recommend two excellent articles, which are the key information to help me solve this problem:

Https://serializethoughts.com/2016/09/10/905/

Https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html

Starting with Nougat, Android changes the default trust behavior for users to install certificates. This means that installing Burp CA from sdcard will not block application traffic. Unless otherwise noted, the application will only trust CA at the system level.

Here are two ways to help us get around it:

Install Burp CA as a system-level CA on the device. This is what I think is the easiest solution, but requires a device that is already root. It also eliminates the trouble of setting the lock screen PIN code:)

Modify the manifest manifest file and repackage the application. The steps are relatively cumbersome, but do not require root permission.

Note: I did this with Burp Suite Pro on Windows 10, using Android 7.1 (API25) Genymotion VM, but these steps should apply to any setup.

Install Burp CA as a system-level CA on the device

For me, I think the simplest solution is to install Burp CA into the system's trusted certificate. You can view all system CA bundled with Android devices at Settings-> Security-> Trusted Credentials. You can see a similar CA in the browser bundle.

Android's trusted CA is stored in / system/etc/security/cacerts in a special format. If we have root permission, we can write to this location and put it into Burp CA (with some modifications).

Export and convert Burp CA

The first step is to get the Burp CA in the correct format. Using Burp Suite, export the CA certificate in DER format. I saved it as cacert.der

Android likes the certificate in PEM format, and the file name is the subject_hash_ Old value and ends with .0.

Note: if you use OpenSSL Security-> Trusted Credentials, you should be able to see that the new "Portswigger CA" has become a trusted CA of the system.

Now we can set up proxies and block all application traffic through Burp:)

Modify and repackage the application

If you do not have root authority or do not want to modify the system trusted certificate, you can also install Burp CA as a user certificate and implement MitM by modifying a specific APK.

Starting with Nougat, the application ignores user-installed certificates by default. You can verify this by looking at the logcat output when you start the application:

Without the network security configuration, the application will only trust the system CA and directly ignore the Burp certificate installed by the user.

To solve this problem, we need to do the following:

Disassemble APK

Add a new XML source to define the network security profile

Modify AndroidManifest.xml

Repackage and self-sign APK

Disassemble and modify APK

First we use apktool to disassemble APK

Apktool d TestApp.apk

Next, add a new network security configuration by creating the file network_security_config.xml in the res/xml directory:

Vim TestApp\ res\ xml\ network_security_config.xml

The configuration needs to make it clear that the user certificate is acceptable and trusted. The contents are as follows:

Finally, we must define the network security configuration in AndroidManifest.xml. In the tag, add the android:networkSecurityConfig attribute that points to the new XML file:

Repackage and self-sign APK

APK must now be rebuilt and signed before it can be installed. Using the apktool b command, a new APK is created in the dist/ directory:

Apktool b TestApp

To self-sign the application, we need to use keytool to create a new KeyStore and key, and then use jarsigner to sign the new APK:

Keytool-genkey-v-keystore test.keystore-storepass password-alias android-keypass password-keyalg RSA-keysize 2048-validity 10000jarsigner.exe-verbose-keystore test.keystore-storepass password-keypass password TestApp\ dist\ TestApp.apk android

Finally, use adb to install the new APK:

Adb install TestApp\ dist\ TestApp.apk

Now, when we start the application, the logcat output will indicate the new network security configuration in use:

Cheatsheet

Install system CA

# Convert DER to PEMopenssl x509-inform DER-in cacert.der-out cacert.pem# Get subject_hash_old (or subject_hash if OpenSSL

< 1.0)openssl x509 -inform PEM -subject_hash_old -in cacert.pem |head -1# Rename cacert.pem to .0mv cacert.pem 9a5ba575.0# Remount and copy cert to deviceadb root adb remount adb push 9a5ba575.0 /sdcard/ adb shell vbox86p:/ # mv /sdcard/9a5ba575.0 /system/etc/security/cacerts/ vbox86p:/ # chmod 644 /system/etc/security/cacerts/9a5ba575.0 vbox86p:/ # reboot 修改APK apktool d TestApp.apk vim TestApp\res\xml\network_security_config.xml #Content: vim TestApp\AndroidManifest.xml # Add to tag: android:networkSecurityConfig="@xml/network_security_config"# Rebuild and self-signkeytool -genkey -v -keystore test.keystore -storepass password -alias android -keypass password -keyalg RSA -keysize 2048 -validity 10000apktool b TestAppjarsigner -keystore test.keystore -storepass password -keypass password TestApp\dist\TestApp.apk android# Install new APKadb install TestApp\dist\TestApp.apk# Install Burp CA to User Certsmv cacert.der cacert.cer adb push burpca.cer /mnt/sdcard Settings ->

Security-> Install from SD Card above is how to correctly configure Burp Suite in Android Nougat. If you happen to have similar doubts, please refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.