Android high version installation system certificate HTTPS packet capture - the ultimate solution
1. Objectives
To capture App packages, you first need the App to trust the certificate of the capture software.
However, starting from Android 7.0, the system no longer trusts user CA certificates, so you need to install the CA certificate to the system CA certificate directory.
If you use Magisk jailbreak, this task is relatively simple. You only need to install a module Move Certificates.
But today’s story starts with me flashing a new ROM. This ROM is quite strange. After flashing, the adb connection is directly in root state, but the App cannot obtain the root state.
Oh my god, didn’t I accidentally flash a hidden root ROM? Now I can’t bear to install Magisk.
Now the question isHow to install the certificate to the system directory?
2. Steps
Forced sex
Calculate the certificate name
openssl x509 -subject_hash_old -in charles-ssl-proxying-certificate_saved.pemCalculate the value, such as 3a1074b3
Then rename the original Charles certificate charles-ssl-proxying-certificate_saved.pem to3a1074b3.0
Finally3a1074b3.0Copy the file to the /system/etc/security/cacerts/ directory.
Done~~
Ideals are full, but reality is skinny. /system is probably not writable, even if you have root privileges, you cannot write into it.
I asked Google, and he said that I could remount /system as readable and writable, but I didn’t succeed.
There are two ways that have been successful before.
- Install RootExplorer.apk and mount /system as readable and writable.
- adb reboot recovery to enter the previously flashedtwrp, write to /system in twrp
But this time it crashed, RootExplorer could not load and read. After twrp finished writing /system, the rom went crazy, the settings could not be entered, and the old newspaper crashed.
Learn
I remembered the packet capture software Http Toolkit, which has an Android Device via ADB mode, which can capture packets smoothly.
This means that it can use ADB to write the certificate to /system. After all, my ADB has root permissions.
It’s amazing, how is it possible?
This started a long journey to Google again, and finally I found an article on their official website that described in detailThrough adb with root privilegesA magical solution to write system certificates.
- Push the HTTP Toolkit CA certificate to the device via ADB.
- Copy all system certificates from /system/etc/security/cacerts/ to a temporary directory.
- Mount a tmpfs ram filesystem on /system/etc/security/cacerts/. This effectively places a new, empty, writable filesystem on a small portion of /system. Move the copied system certificates back to that mount point.
- Move the HTTP Toolkit CA certificate to the mount point as well.
- Update the permissions of all files in the temporary mount point to 644, and set the SELinux label of the system file to system_file to make it look like a legitimate Android system file.
The key point is to mount a memory file system, which is very talented.
Show me the Code
# htk-inject-system-cert.sh
set -e # Fail on error
# Create a separate temp directory, to hold the current certificates
# Without this, when we add the mount we can't read the current certs anymore.
mkdir -m 700 /data/local/tmp/htk-ca-copy
# Copy out the existing certificates
cp /system/etc/security/cacerts/* /data/local/tmp/htk-ca-copy/
# Create the in-memory mount on top of the system certs folder
mount -t tmpfs tmpfs /system/etc/security/cacerts
# Copy the existing certs back into the tmpfs mount, so we keep trusting them
mv /data/local/tmp/htk-ca-copy/* /system/etc/security/cacerts/
# Copy our new cert in, so we trust that too
cp /data/local/tmp/c88f7ed0.0 /system/etc/security/cacerts/
# Update the perms & selinux context labels, so everything is as readable as before
chown root:root /system/etc/security/cacerts/*
chmod 644 /system/etc/security/cacerts/*
chcon u:object_r:system_file:s0 /system/etc/security/cacerts/*
# Delete the temp cert directory & this script itself
rm -r /data/local/tmp/htk-ca-copy
# rm ${injectionScriptPath}
echo "System cert successfully injected"As for the memory file system, it will definitely become invalid after reboot, so it is not very troublesome to save it as a script and run it before capturing the packet.
Conclusion
Sometimes the magical technology is just a layer of window paper. Once you break it, you will be amazed at how simple it is.
Once you have mastered a new solution, you can apply it to other situations in the future.
Reference https://httptoolkit.com/blog/intercepting-android-https/