Adding a Certificate to Android System Trust Store

The Android Platform N and above have 2 different Trust Stores, the user trust store and the system trust store. Installing a certificate to a user trust store is easy and it can be done using the devices UI. Adding a certificate to system trust store is more complicated process but, it is totally worth taking that extra effort to add a certificate to system tust store while hacking android apps. However, it can only be done on a rooted device or emulator with root access.

Certificates in System and User Trust Stores

System Trust Store location in Android-7: /system/etc/security/cacerts/

User Trust Store location in Android-7: /data/misc/keystore/user_0/

Why Install certificates in System Trust Store?

While performing a pentest or doing security research or just want proxy the HTTPS traffic of apps using a proxy tool such as Burp, Zap,mitmproxy… All the apps by defaults do not trust the user trust store unless explicitly stated in the network security configuration of the app.

An example network-security-config.xml file which trusts the user trust store

It is good idea to check this configuration even before attempting to bypass the certificate pinning or else one may end up in a rabbit hole.

Even if a app does trust the user store in the configuration you may still have trouble proxying all the applications traffic. If the app uses the WebViews for loading any HTTPS web pages in the app they might not be loaded on the app. As the WebViews do not trust the user store even if the app does so.

Installing the certificate of proxy server in the system store will solve this issues.

Steps to install Burp root certificate in the Android System Trust Store

My favourite proxy tool is Burp. I’ll be showing steps to get this setup done with Burp Suite. You can get similar setup done if you are using any other proxy tools as well.

First of all we need to get the certificate that we need to add to the Android’s system trust store. We can use the certificate that Burp suite generates but it will cause issues while proxying the WebView traffic due it validity period. The Burp root certificate is valid for 20 years. We need to create a root certificate that is valid for 10 year.

A root certificate can be created using openssl or any similar tool. KeyStore Explores is a great tool with a UI which can be used to generate a root certificate.

Create a root certificate:

1. Create a new KeyStore and generate a new key pair with a validity of 10 years. If the validity is too long the WebView traffic cannot be proxied. Thus adding the burp proxy’s certificate directly to android system trust store will cause problems. SO, it is a good idea to create a new root certificate will appropriate validity period.

2. Fill in the CN, OU, O, L, ST and C fileds of the certificate. The add the following Basic Constraints and Key Usage Extensions to the key pair that you are generating.

3. Once the keypair is generated export the certificate in .cer format and save the keystore with a password in PCKS # 12 keystore format.

Import the private key to burp proxy

Add the certificate to System Trust Store:

The certificate file should be renamed before it can be added to Android System trust store. The file name should be certificates old hash appended by a .0 (its zero not a letter o) extension. The old hash can be generated by using the following command. Once the old hash is generated rename the certificate file to <old_hash>.0 format.

openssl x509 -inform PEM -subject_hash_old -in <exported_cert_file>| head -1
mv <exported_cert_file> <old_hash>.0

Push the certificate onto the device using ADB.

adb push <old_hash>.0 /sdcard/

By default the /system directory will be read only mode. It needs to be remounted to read-write so that the certificated we just pushed on to device can be placed in the directory where the systems certificates are present.

$ adb shell
shamu:/ $ su
shamu:/ # mount -o rw,remount /system /system

If you get a error message which says “mount: ‘/system’ not in /proc/mounts” then, you will have to replace the content in bold in the above command accordingly. All the mounted filesystems on that device or emulator can be found in /proc/mount file. so a simple cat and grep can help us find the correct name.

shamu:/ # cat /proc/mounts | grep system
/dev/block/platform/msm_sdcc.1/by-name/system /system ext4 ro,seclabel,relatime,data=ordered 0 0

This is usually the case while working with a physical device. You will need to use the following command to remount the system fislesystem.

shamu:/ # mount -o rw,remount /dev/block/platform/msm_sdcc.1/by-name/system /system

Once the filesystem is remount to read-write we can copy our certificate to the system trust store the set the appropriate permissions, user and group. Once that is done you need to reboot the device and you can see the certificate added to the system trust store.

shamu:/ # cp /sdcard/<old_hash>.0 /system/etc/security/cacerts/<old_hash>.0
shamu:/ # chmod 644 /system/etc/security/cacerts/<old_hash>.0
shamu:/ # chown root:root /system/etc/security/cacerts/<old_hash>.0
shamu:/ # reboot

References:

https://keystore-explorer.org

https://docs.mitmproxy.org/stable/howto-install-system-trusted-ca-android/