# Intro This is just a quick post on how to install the `Burp Suite CA` on `Android 14`. The existing information out there is not great and in many cases gives you wrong info based on older versions of `Android`. Also the official documentation on `PortSwigger` links to a blogpost which gives you `wrong instructions`! ![[burpCA-baddocs.gif]] ``` It is often so, as you must be sensible of from the Thing you gott from ye Kings Chapell ground in 1769 and what H. gott from Olde Bury’g Point in 1690, that was like to ende him. Stones are all chang’d now in Nine groundes out of 10. You are never sure till you question. - Simon O. ``` # What does works? #### Export the CA from Burp First we want to export the CA cert from `Burp`. ![[burpCA-01.png]] We need this in a `PEM` format so we have to convert it, we also want to name the cert in a specific way. You can see the commands below. ``` b33f@p0wn Burp % ls burpCA.der b33f@p0wn Burp % openssl x509 -inform DER -in burpCA.der -out burpCA.pem b33f@p0wn Burp % openssl x509 -inform PEM -subject_hash_old -in burpCA.pem| head -1 9a5ba575 b33f@p0wn Burp % mv burpCA.pem 9a5ba575.0 b33f@p0wn Burp % ls 9a5ba575.0 burpCA.der ``` We can check the cert properties if we are so inclined. ![[burpCA-02.png]] #### Install the CA in the `User` Trusted Certificate Store Push the certificate to the device. ``` b33f@p0wn Burp % adb push 9a5ba575.0 /sdcard/Download/ 9a5ba575.0: 1 file pushed, 0 skipped. 11.5 MB/s (1326 bytes in 0.000s) ``` Open settings and search for `Trusted credentials`. ![[burpCA-03.png]] Then select `Install a certificate` and chose the cert you pushed to the device. You should get a prompt to say the cert was installed and it will show up under `Trusted credentials -> User`. ![[burpCA-04.png]] #### Divergent Added Chaos Damage Just a small `lore` diversion here with some `added chaos damage`. You used to be able to copy the cert into the `System` certificate store (`/system/etc/security/cacerts/`) manually. In fact, if you look at the `PortSwigger` docs they link to a post that does exactly this: - https://portswigger.net/burp/documentation/desktop/mobile/config-android-device Don't do that ok, this is not working on later versions of `Android`. I will just document the process because it's interesting and it may be useful to know in the future. If you try to write to `/system` you will find that you can't as it is `read-only`. The way I got around this was by writing a simple `Magisk` module. ``` panther:/data/adb/modules # cat burpCA_module/module.prop id=burp-ca-cert name=Burp CA Certificate version=v1.0 versionCode=1 author=Ruben Boonen description=Adds Burp CA certificate to the system. panther:/data/adb/modules # ls burpCA_module/system/etc/security/cacerts/ 9a5ba575.0 ``` `Magisk` uses a system called `overlayfs` to allow one filesystem to be overlayed on another. Basically it creates a virtual layer where the modified files are stored. Very cool actually, it lets us make changes without affecting the filesystem. It's also good if we want to roll back changes! With the module in place on the OS you can see it in `Magisk` and after you reboot the cert will be in the correct place. But again this no longer works! `Thanks for wasting your time, here, have some free added chaos damage`. ![[burpCA-05.png]] You can get some background on this change [here](https://httptoolkit.com/blog/android-14-install-system-ca-certificate/). #### Trust my CA please Turns out `NCC` solved this issue for us. Maybe I should have been a bit more diligent when I was preparing `¯\_(ツ)_/¯`. They have a `Magisk` module that makes all `user certificates` part of the `com.android.conscrypt` certificate store. - https://github.com/nccgroup/ConscryptTrustUserCerts I do want to mention that this is tested specifically on `Android 14`, you should have a look at the open issues if you are on a different version. What's nice about this is that we can add and remove trusted certs by modifying the user cert store. Here I just download the release zip straight onto my phone. ![[burpCA-06.png]] I install the module as a packaged `zip` in `Magisk` and then finally `reboot` the device. ![[burpCA-07.png]] # Great Success Now we can configure the Wi-Fi connection on the phone to use a custom proxy that points at Burp on the network and `mitm` the traffic. ![[burpCA-08.png]]