Intercept HTTPS Traffic from Android App — AndroGoat -Part 2

In Intercept HTTPS Traffic from Android App — AndroGoat -Part 1, it was shown how to intercept HTTPS traffic from Android devices with API 23( version 6 Marshmallow) or below. Now in this section, we are going to learn how to intercept HTTPS traffic from Android devices with API 24( version 7 Nougat) or above.

Before understanding what is changed from API 24-Nougat, lets try to intercept the traffic, using 2 different Androgoat applications, from Android devices with API 24( version 7 Nougat) or above.

Test 1:

1. Uninstall any previous version of AndroGoat app
2. Install AndroGoat app without network_security_config in Android 7 or above devices
3. Follow the steps from Intercept HTTPS Traffic from Android App — AndroGoat -Part 1
4. Observe below error appears in Burp → Dashboard → Event Log section and request was not intercepted.

Test 2:

1. Now, in the same device uninstall previous AndroGoat app and install AndroGoat (with Network_security_config.xml file)
2. Follow the steps from Intercept HTTPS Traffic from Android App — AndroGoat -Part 1
3. You should see request intercepted in Burp.

We are able to intercept the traffic in Test 2 and reason is explained below.

What is changed from API 24-Nougat?
Starting with Nougat, Android changed the default behavior of trusting user installed certificates. It’s not possible to intercept traffic from mobile app after installing Burp CA unless the app explicitly opts in using network_security_config.xml . i.e. Apps will now only trust system level trusted CAs.

What is the difference between 2 apps used in Test 1 and 2? — network_security_config.xml

In Test 1, app doesn’t have network_security_config.xml so device is not trusting user installed Burp proxy certificate.

In Test 2, app has network_security_config.xml so device is trusting user installed Burp proxy certificate as explicitly opted in as highlighted.

You can also decompile these 2 apps and see the difference.

You may refer to https://developer.android.com/training/articles/security-config to know more Information about network_security_config.xml

We can add network_security_config.xml by repackaging the app if we have App used in Test 1.

How to bypass with the help of repackaging?
A. Repackage the app by adding network_security_config.xml
B. Add Burp Root certificate as System level trusted CA (not covering here).

A. Repackage the app by adding network_security_config.xml:
This method doesn’t require a rooted device because we are repackaging the app to trust user installed certificates.
Steps to repackage:
1. Decompile the AndroGoat (used in Test 1) apk using apktool

2. Now a folder gets created with Application name
3. Open AndroidManifest.xml file with any editor and add below attribute to <application> tag.

android:networkSecurityConfig="@xml/network_security_config"

4. Open res folder and create folder with name xml
5. Create a file with name network_security_config.xml in /res/xml/ folder and save the file with below content.

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <base-config cleartextTrafficPermitted="true">
        <trust-anchors>
            <certificates src="system" />
            <certificates src="user" />
        </trust-anchors>
    </base-config>
</network-security-config>

<certificates src=”user” /> tells the app to trust user installed certificates.
6. Repackage the application using apktool

7. Now repackaged apk is available in dist folder. This apk won’t be installed unless it is signed.

8. Generate new keystore using keystore tool

keytool -genkey -v -keystore androGoat.keystore -storepass <password> -alias android -keypass <password> -keyalg RSA -keysize 2048 -validity 10000

9. Sign the repackaged apk using jarsigner

jarsigner -verbose -keystore androGoat.keystore -storepass <password> -keypass <password> AndroGoat_without_network_security_config.apk android

You can also use Android APK Signer GUI tool for generating keystore and signing apk.
10. Install this apk into Android device(Assuming previous AndroGoat app was uninstalled)
11. Now try to intercept the traffic by following the steps provided in Intercept HTTPS Traffic from Android App — AndroGoat -Part 1
12. You should see request intercepted in Burp.

Key takeaways:

1. Android devices with API 24( version 7 Nougat) or above will not trust user installed certificates by default.
2. However it can be bypasses by adding network_security_config.xml is configured with trust-anchor <certificates src=”user” />
3. Don't opt in this configuration in production applications.

Hence, MITM is possible if app has network_security_config.xml is configured with trust-anchor <certificates src=”user” />

I have developed a tool, ScanAndroidXML, to identify misconfigurations in network_security_config.xml

We will discuss this in next part.

There is another way to bypass network security config using Frida which is published at Intercept HTTPS Traffic from Android App — AndroGoat -Part 3

Happy Learning

Connect with me on GitHub and Twitter for more insights, updates and tools.