Pentesting setup: Burp, Android and Macbook M1

Sunday, April 10, 2022    Post   395 words   2 mins read

Setting up a pentesting environment on a Macbook M1 for an Android device is really easy and you can intercept in Burp Suite all the requests sent from the device. Let’s do that.
  1. You will need Android Studio, make sure you download the ARM version. Yes, we all hate Google.

  2. Open Android Studio and create a device using an API level that is supported by modern applications (for example Pixel 2, API 32, arm64-v8a architecture), or leave the default device (Pixel_3a_API_32_arm64-v8a).

  3. Launch the emulator using your device name (that you specified in the step above, remember to replace YOUR_USER with your actual macOS username; in my case, the username is the name of my pet horse, Twinkles; just kidding, that’s the name of my pet fish, my pet horse is named Fondue):

$ cd /Users/YOUR_USER/Library/Android/sdk/emulator
$ ./emulator -avd Pixel_3a_API_32_arm64-v8a -writable-system

The -writable-system flag is needed so that we can install the Burp Suite certificate as a system-level Trusted CA.

  1. Export the Burp Suite certificate in .DER format and save it as cacert.der, for example. Open Burp Suite, go to Proxy -> Options and click on the Import / Export CA certificate button.

Also, you probably noticed that the exported certificate is in .DER format and Android expects it to be in .PEM format and to have a custom name too (the name must be the subject_hash_old value appended with .0). So, we’ll use openssl to convert the certificate, get the value of the subject_hash_old field and rename the file accordingly.

$ openssl x509 -inform DER -in cacert.der -out cacert.pem
$ openssl x509 -inform PEM -subject_hash_old -in cacert.pem | head -1
$ mv cacert.pem 9a5ba575.0
  1. Let’s copy the certificate to the virtual device using adb:
$ adb root
$ adb remount
$ adb push 9a5ba575.0 /sdcard/

Since the -writable-system flag was used when starting the device emulator, we can now copy the file to /system/etc/security/cacerts and chmod it to 644:

$ adb shell
emulator64_arm64:/ # mv /sdcard/9a5ba575.0 /system/etc/security/cacerts/
emulator64_arm64:/ # chmod 644 /system/etc/security/cacerts/9a5ba575.0
emulator64_arm64:/ # exit

Don’t forget to reboot the emulator:

$ adb reboot
  1. Open Extended Controls in the emulator, Settings, go to the Proxy tab, click on the Manual proxy configuration checkbox and fill in the Host name and Port number fields as in your Burp Suite configuration.

That’s it, now you can intercept all requests from the emulator device with Burp Suite.