Burp with Android Studio Nougat AVD
I needed to setup some new systems for mobile application penetration tests at the start of January and part of this process includes importing Burp’s certificate for traffic interception. I have set this up in the past but it seems to change fairly regularly with newer versions of Android emulators.
I installed the latest version of Android Studio and setup an android virtual device (AVD) emulator based on Nougat (Android 7.0). I reviewed all the various guides I could find, but none of them quite worked correctly. I eventually figured it out, got the systems setup, and moved on, but then last week I came across a Tweet by ropnop for his blog titled “Configuring Burp Suite with Android Nougat.” It is a great guide, but part of the steps are what specifically did not work for me and resulted in a lot of troubleshooting. This inspired me to write this post as others might be experiencing the same thing for AVD’s created/run with Android Studio.
I will not provide detailed screenshots of all of the steps, as the above post by ropnop does a great job. The key steps are:
- Export Burp’s certificate in DER format
- Convert the certificate from DER to PEM format: openssl x509 -inform DER –in burpmobile.der -out burpmobile.pem -outform PEM
- Get the hash of the certificate: openssl x509 -inform PEM -subject_hash_old -in burpmobile.pem | head -1
- Rename the PEM certificate to the hash output above with an extension of .0 (that is a zero): mv burpmobile.pem <hash>.0
The next steps then changed a little bit on all the machines in which I performed this task. The Google documentation, and ropnop’s guide, each uses adb next to obtain root access and then remount the /system directory as read-write. This is necessary as you must copy the certificate to the system directory. When I performed these steps, everything seemed to work. The commands all completed successfully and a ‘mount -v’ showed /system as being mounted as read-write. However, as soon as I attempted to copy the certificate to the proper directory in /system, I received a write error and then a subsequent execution of ‘mount -v’ showed /system as being mounted read-only. Weird.
I began looking at ways to start the AVD myself vs. using the tools within Android Studio. I came across documentation for the emulator.exe tool here and noticed the ‘-writable-system’ command line switch. This ended up being the key to resolving my issue. The final steps for me ended up being to start the emulator directly with the ‘-writeable-system’ switch, get root access, set /system to read-write, then upload the certificate:
- Start the emulator: emulator.exe -writable-system -camera-back none -camera-front none -netdelay none -netspeed full -avd <Name of AVD>
- Get root access: Run: adb -s <emulator_id> root
- Mount /system as read-write: adb -s <emulator_id> remount
- Upload the certificate to the AVD: adb -s <emulator_id> push C:\Tools\burp\<hash>.0 /storage/emulated/0/Download/
- Access the AVD shell: adb -s <emulator_id> shell
- Move the certificate to the appropriate directory: mv /storage/emulated/0/Download/<hash>.0 /system/etc/security/cacerts/
- Set the appropriate permissions on the certificate: chmod 644 /system/etc/security/cacerts/<hash>.0
One other issue I ran into on a few of the installs was Android Studio setting specific files in the AVD directory to read-only. I have no idea why this occurred on a handful of these but it did. The only thing I could think of is that these were installed almost a week later and maybe the installer pulled in updates as part of the process that causes this issue ¯\_(ツ)_/¯. The fix required three changes to this process:
- Use Windows attrib command to remove the read-only flag from all files in the AVD directory: attrib -r C:\Users\<username>\.android\avd\<Name of AVD> /S /D
- Use the ‘-no-snapshot-load’ command line switch on step #1 above with emulator.exe to perform a cold boot and completely disable Quick Boot mode
- Configure my AVD with Android Studio to disable support for Quick Boot
Search Posts
Security Categories
- Android
- Apache Security
- Burp
- CodeWatch
- Deadrop
- Java
- Linux
- Metasploit
- OWASP 2010 A1
- OWASP 2010 A10
- OWASP 2010 A2
- OWASP 2010 A3
- OWASP 2010 A4
- OWASP 2010 A5
- OWASP 2010 A6
- OWASP 2010 A7
- OWASP 2010 A9
- OWASP 2013 A9
- Penetration Testing
- Phishing
- PHP Security
- PowerShell
- Python
- Social Engineering
- Unix
- Windows
Top Tags
ASVS 3.1 ASVS 3.2 ASVS 3.3 ASVS 3.4 ASVS 3.5 ASVS 3.6 ASVS 3.7 ASVS 3.8 ASVS 3.9 ASVS 3.10 ASVS 3.11 ASVS 3.12 ASVS 3.13 ASVS 11.4 bcrypt Burp Suite Pro CodeWatch CryptoPP Hashcat Hyperion Java Linux Metasploit Meterpreter mimikatz msfencode msfpayload Ophcrack OWASP 2010 A1 - Injection OWASP 2010 A2 - Cross-Site Scripting (XSS) OWASP 2010 A3 - Broken Authentication and Session Management Penetration Testing Phishing PHP Powershell Python SET Shellcodeexec Social Engineering Unix Veil VirusTotal WAF Web App Pentesting Windows