Saturday, May 12, 2012

Android Emulator, Trusted CA, and Persistent Storage

UPDATE - An easier way to do this can be found on our update post here

Android periodically updates it's SDK and somtimes when this happens, old methods for importing a Trusted CA, necessary to proxy SSL traffic, will fail and you must find a new solution. Technically speaking, it's not necessarily the import that is the problem, it's saving those changes between restarts of the emulator. If you've worked with the emulator you'll note that after importing a Trusted CA such as BurpSuite's certificate, the changes only take effect once you've rebooted the emulator. In other words, you actually have to restart the emulator, and without these steps, you'll lose your updated Trusted CA list.

Using Android SDK 19, the solution was to move a temporary file and rename it. Let's begin:

After creating your Android Virtual Device (AVD) named "test"....

Step 1 - Run the emulator





Step 2 - While running, pull the cacerts.bks file






Step 3 - Get the keytool






Step 4 - Import the PortSwigger SSL Certificate into the cacerts.bks file w/ keytool
NOTE: Exporting PortSwigger SSL Certificate instructions here - http://carnal0wnage.attackresearch.com/2010/11/iphone-burp.html




Step 5 - Remount the emulator /system folder with read-write permissions





Step 6 - Push the cacerts.bks file up onto the emulator





Step 7 - Move the tmp file to your local avd directory and rename it to system.img





Step 8 - Restart, rm cacerts.bks, pull down the copy from emulator, ensure certificate still exists in cacerts.bks file






The reason this data persisted was because we moved the temporary copy (emultor-<random string>) from /tmp/android-<myname>/ and renamed it to system.img. Lastly, we placed the image file in the ~/.android/avd/test.avd/ directory.

hack on,

cktricky

8 comments:

  1. Note that ICS (4.0) renders this approach redundant, as you can simply push the CA certificate onto the SD card and import it through Settings.

    ReplyDelete
  2. The approach being the use of keytool, or the work-around to persist data between restarts?

    ReplyDelete
  3. Both -- on ICS, adding certificates (CA or otherwise) through Settings (Settings-> Security-> Credential Storage -> [Install from storage]) obviates the need for pulling the keystore and the added certs persist between reboots, as the store is on /data (specifically /data/misc/keychain/cacerts-added).

    ReplyDelete
  4. Good info!

    Yes, I had actually initially tried doing it that way w/ AVD 2.2 (install from settings) and it didn't persist. Good to know that 4+ (I think that is the newer version) persists automatically.

    I'll try the latest version and see if it persists, and update via comments.

    Cheers

    ReplyDelete
  5. Updated with a new post to cover AVD 4.0.3. I tried installing through settings on this version of the AVD.....worked like a charm.

    Thanks!

    ReplyDelete
  6. While this does work and the certificate does persist, accessing a HTTPS page in the emulator browser, gives me a pop-up asking me to confirm I want to accept Burp's certificate. I shouldn't have to do that..rt? Its already a trusted certificate.

    The interesting thing is that the certificate IS clearly there...querying with keytool shows that the cert is persistent. For some reason though...it still prompts me. Any ideas? Thanks

    ReplyDelete
  7. I should probably write a blog post on the resolution for certificate names.

    Quick fix or a short-term solution in the meantime is to try browsing to https://twitter.com.....you'll get the cert mismatch error.

    Now go into Burp > Proxy > Options, click on the proxy listener, click edit, go to the tab that says certificate, click the radio button next to "generate CA-signed per-host certificates and then, in the text field, enter twitter.com.

    Now try browsing again from the emulator browser to https://twitter.com, it will work (but not for mobile.twitter.com) but you get my point. You have to resolve the name of the site cert manually.

    Again, I'll probably put out a better solution that makes things easier than this.

    ReplyDelete
  8. As mentioned on the other post, I hear PortSwigger has fixed the problem with the latest version of BurpSuite Professional.

    ReplyDelete