Tag Archives: android mitm

SSL Trust Factor in Android Native Apps

Android Native applications that use HTTP for communication with the server may use default APIs provided by the platform. By default, the android APIs validate SSL certificates issued by the server before jumping into the client logic. When the native app is configured via HTTP proxy for testing/auditing purposes, the native app fails to load up. It may or may not show any reason to the user.

Finally it may appear, platform’s behavior is causing TROUBLE for penetration testers and all those who want to test the native applications.

Thanks to open source community, we have a way to hack into android OS settings which will let us carry out our work.

This article only walks us through hacking android OS security setting assuming basic working knowledge of ADB (Android Device Bridge) and the device file system.

Disclaimer: The methods described below are only tested for Android 2.1 on Samsung Galaxy S (I9000). Always take back ups of the files that are being replaced. The device should have been rooted.

>   command prompt on the working machine

$   shell access to the device with normal privileges

#   shell access to the device with root privileges

Device (Samsung Galaxy S):

>adb shell
>adb pull /system/etc/security/cacerts.bks .
>keytool -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath “C:Program FilesJavajdk1.6.0_24libbcprov-jdk16-141.jar” -storepass changeit -import -v -trustcacerts -alias -file “C:sslcertsproxyca.cer”
>adb shell mount -o remount, rw /system
>adb push cacerts.bks /sdcard/
#cd /system/etc/security
#cat cacerts.bks > cacerts.bks.bak
#rm cacerts.bks
#cat /sdcard/cacerts.bks  > cacerts.bks
>adb shell mount -o remount, ro /system
Restart the device (Mandatory). As we have successfully added our proxy’s CA certificate to the keystore that holds the trusted CA certs, every time an SSL certificate that is signed by proxy’s CA will be considered trusted and lets us carry out interception of the HTTP traffic.

Limitation:The above process is very specific to physical devices. But often for testing purposes many want to be safe from bricking the device and may prefer using emulator to test the application. Emulator’s behavior is to not persist any changes that are made to the system settings. Every reset of the emulator starts from the image that was downloaded during the setup of the emulator. Below is the workaround for the limitation.

Emulator (Android 2.1):

>emulator –avd youravdname –partition-size 128
>adb shell
>adb pull /system/etc/security/cacerts.bks .
>keytool -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath “C:Program FilesJavajdk1.6.0_24libbcprov-jdk16-141.jar” -storepass changeit -import -v -trustcacerts -alias -file “C:sslcertsproxyca.cer”
>adb shell mount -o remount, rw /system
>adb shell
# mount
# chmod 777 /system
>adb push cacerts.bks /system/etc/security/
>adb push mkfs.yaffs2.arm /data/data/temp/mkfs.yaffs2
>adb shell chmod 777 /data/data/temp/mkfs.yaffs2
>adb shell
#mkfs.yaffs2 /system /data/data/temp/system.img
>adb pull /data/data/temp/system.img system.img
>adb shell mount -o remount,ro -t yaffs2 /dev/block/mtdblock0 /system
Go to “your android SDK homeplatformstarget-versionimages” (IMAGEHOME)
    ex) E:devandroid-sdk-windowsplatformsandroid-2.0images
Back up your system.img
    ex) Rename system.img to system.img.bak
Move the fresh image captured using mkfs.yaffs2 which is in WORKDIRsystem.img to IMAGEHOME
Restart the emulator (Mandatory). Now the emulator is launched using the modified image of OS which has the modified keystore containing our proxy CA.



Posted by on August 29, 2011 in Android

Leave a comment

Tags: , , , , , , , , , ,