Pentesting setup: Burp, Android and Macbook M1
Setting up a pentesting environment on a Macbook M1 for an Android device is really easy and you can intercept in Burp Suite all the requests sent from the device. Let’s do that.
You will need Android Studio, make sure you download the ARM version. Yes, we all hate Google.
Open Android Studio and create a device using an API level that is supported by modern applications (for example Pixel 2, API 32, arm64-v8a architecture), or leave the default device (Pixel_3a_API_32_arm64-v8a).
Launch the emulator using your device name (that you specified in the step above, remember to replace YOUR_USER with your actual macOS username; in my case, the username is the name of my pet horse, Twinkles; just kidding, that’s the name of my pet fish, my pet horse is named Fondue):
$ cd /Users/YOUR_USER/Library/Android/sdk/emulator $ ./emulator -avd Pixel_3a_API_32_arm64-v8a -writable-system
-writable-system flag is needed so that we can install the Burp Suite certificate as a system-level Trusted CA.
- Export the Burp Suite certificate in
.DERformat and save it as
cacert.der, for example. Open Burp Suite, go to Proxy -> Options and click on the Import / Export CA certificate button.
Also, you probably noticed that the exported certificate is in
.DER format and Android expects it to be in
.PEM format and to have a custom name too (the name must be the
subject_hash_old value appended with
.0). So, we’ll use
openssl to convert the certificate, get the value of the
subject_hash_old field and rename the file accordingly.
$ openssl x509 -inform DER -in cacert.der -out cacert.pem $ openssl x509 -inform PEM -subject_hash_old -in cacert.pem | head -1 9a5ba575 $ mv cacert.pem 9a5ba575.0
- Let’s copy the certificate to the virtual device using
$ adb root $ adb remount $ adb push 9a5ba575.0 /sdcard/
-writable-system flag was used when starting the device emulator, we can now copy the file to
/system/etc/security/cacerts and chmod it to
$ adb shell emulator64_arm64:/ # mv /sdcard/9a5ba575.0 /system/etc/security/cacerts/ emulator64_arm64:/ # chmod 644 /system/etc/security/cacerts/9a5ba575.0 emulator64_arm64:/ # exit
Don’t forget to reboot the emulator:
$ adb reboot
- Open Extended Controls in the emulator, Settings, go to the Proxy tab, click on the Manual proxy configuration checkbox and fill in the Host name and Port number fields as in your Burp Suite configuration.
That’s it, now you can intercept all requests from the emulator device with Burp Suite.
created Sunday, April 10, 2022
tags #pentesting, #android, #m1, #burp suite, #proxy