Recently, when testing the APK, it was found that the usual methods of exporting the Burp certificate, installing the certificate, and setting the proxy in the Wi-Fi settings cannot capture the traffic of HTTPS (using Proxifier to make the Android emulator go through the Burp proxy is possible, but I don't want to do that). After searching the search engine, it was learned that starting from Android 7.0, the system only trusts system certificates by default and no longer trusts user-installed certificates. Therefore, after multiple attempts to capture the HTTPS messages in the APK using various emulators failed, I still chose Android Studio. Install the certificate into the system certificate.
Prepare the Burp certificate#
- Export the Burp certificate.
- Use OpenSSL to change the certificate format. First convert the Burp certificate from DER format to PEM format, and then obtain the hash of the certificate.
openssl x509 -inform DER -in burp.der -out burp.pem
openssl x509 -inform PEM -subject_hash_old -in burp.pem
Rename the file to the obtained hash.0.
mv burp.pem 9a5ba575.0
Prepare the emulator#
- Open Android Studio and create a new emulator. See the details in the image.
The system image can be selected as needed.
Enter the name of the emulator, set the storage size of the emulator, and give it more points to avoid insufficient installation space.
- Use the emulator command to start the emulator. The default location of the command is /Users/{{username}}/Library/Android/sdk/emulator. Add the -no-snapshot-load parameter to save the emulator state. Otherwise, after restarting the emulator, you need to execute the adb root and remount commands again to modify the certificate permissions.
View all emulators: emulator -list-avds
Then start the emulator: emulator @Resizable_API_33 -writable-system -no-snapshot-load
Upload the certificate#
- Use the adb command to remount the partition to make the system readable and writable.
adb root Enter root permission
adb disable-verity Disable partition detection function
adb reboot Restart the device
adb remount Remount the partition to make the system partition readable and writable
- Upload the certificate.
adb push 9a5ba575.0 /sdcard Upload the certificate to the /sdcard directory
adb shell Enter the system, you can use whoami to check if you are a root user at this time
cp /sdcard/9a5ba575.0 /system/etc/security/cacerts/ After entering the system, copy the certificate to the system certificate directory
chmod 644 /system/etc/security/cacerts/9a5ba575.0 Modify the certificate permissions
- Check if the certificate is installed successfully.
Operate the emulator interface, go to Settings -> Security -> More security settings -> Encryption & credentials -> Trusted credentials.
Configure the Wi-Fi proxy#
Capture success
Reference articles#
https://www.freebuf.com/articles/system/347725.html
https://developer.android.com/studio/run/emulator-commandline?hl=en#startup-options
https://developer.android.com/studio/command-line/adb?hl=en
https://juejin.cn/post/6844903645289398280
https://android.stackexchange.com/questions/232234/why-adb-remount-retruns-remount-failed-on-android-emulator