banner
南村一童

南村一童

南村一童

Mac uses Android Studio emulator to capture HTTPS.

Recently, when testing the APK, it was found that the usual methods of exporting the Burp certificate, installing the certificate, and setting the proxy in the Wi-Fi settings cannot capture the traffic of HTTPS (using Proxifier to make the Android emulator go through the Burp proxy is possible, but I don't want to do that). After searching the search engine, it was learned that starting from Android 7.0, the system only trusts system certificates by default and no longer trusts user-installed certificates. Therefore, after multiple attempts to capture the HTTPS messages in the APK using various emulators failed, I still chose Android Studio. Install the certificate into the system certificate.

Prepare the Burp certificate#
  1. Export the Burp certificate.
  2. Use OpenSSL to change the certificate format. First convert the Burp certificate from DER format to PEM format, and then obtain the hash of the certificate.
openssl x509 -inform DER -in burp.der -out burp.pem 
openssl x509 -inform PEM -subject_hash_old -in burp.pem

image
Rename the file to the obtained hash.0.

mv burp.pem 9a5ba575.0
Prepare the emulator#
  1. Open Android Studio and create a new emulator. See the details in the image.
    image.png

The system image can be selected as needed.
image.png

Enter the name of the emulator, set the storage size of the emulator, and give it more points to avoid insufficient installation space.
image.png

image.png

  1. Use the emulator command to start the emulator. The default location of the command is /Users/{{username}}/Library/Android/sdk/emulator. Add the -no-snapshot-load parameter to save the emulator state. Otherwise, after restarting the emulator, you need to execute the adb root and remount commands again to modify the certificate permissions.
View all emulators: emulator -list-avds
Then start the emulator: emulator @Resizable_API_33 -writable-system -no-snapshot-load

image.png

image.png

Upload the certificate#
  1. Use the adb command to remount the partition to make the system readable and writable.
adb root    Enter root permission
adb disable-verity    Disable partition detection function
adb reboot    Restart the device
adb remount    Remount the partition to make the system partition readable and writable

image.png
image.png
image.png

  1. Upload the certificate.
adb push 9a5ba575.0 /sdcard    Upload the certificate to the /sdcard directory
adb shell    Enter the system, you can use whoami to check if you are a root user at this time
cp /sdcard/9a5ba575.0 /system/etc/security/cacerts/    After entering the system, copy the certificate to the system certificate directory
chmod 644 /system/etc/security/cacerts/9a5ba575.0    Modify the certificate permissions

image.png

  1. Check if the certificate is installed successfully.
    Operate the emulator interface, go to Settings -> Security -> More security settings -> Encryption & credentials -> Trusted credentials.
    image.png
Configure the Wi-Fi proxy#

image.png
image.png

Capture success
image.png

Reference articles#

https://www.freebuf.com/articles/system/347725.html
https://developer.android.com/studio/run/emulator-commandline?hl=en#startup-options
https://developer.android.com/studio/command-line/adb?hl=en
https://juejin.cn/post/6844903645289398280
https://android.stackexchange.com/questions/232234/why-adb-remount-retruns-remount-failed-on-android-emulator

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.