Intercepting Android HTTPS connection


Setting up proxy and getting it work is very difficult task in android. Now here is the tutorial to set up proxy for android application.
Basically certificates can be kept in android trusted store or may be placed within the application to establish HTTPS connection

Prerequisites
Good idea on SSL ( create ssl certificate using openssl to understand)
Hands on Android emulator

Android trusted store for android versions

Android trusted certificate store is kept in BKS (bouncycastle) format for android version < 4. So it we have to prepare BKS format certificate. Google it for creating BKS format for android version < 4 After creating BKS format certificate we need to push that into the emulator or device and override the present cacert.bks
Android version > 4 have option to install certificate. Go to settings-> security and select Install from sdcard option. You need to push certificate using
adb push “cert path.cer” /mnt/sdcard < create sdcard space using AVD>
We can install our trusted certificate using that option (very easy in android version > 4)

Trusted certificate

Every https android application will have either CA signed certificate or self signed certificate. If the application is CA signed certificate then we have to compromise Android Trusted store for intercepting SSL request. If the application is self signed certificate then it may use android trusted store or may use its own local keystore for establishing https connection.
Tools
1) Dex2jar
2) Apktool
3) Bouncy castle for (BKS) format cert creation
4) JD-Gui
5) Burp suite


Steps
This was done in emulator
Install the android sdk and related tools, may take some time
After installing everything launch AVD (android virtual device). Also use following command “android avd” to launch
Create a virtual device and allocate some space in “sdcard” in given options
Emulator will be launched. You can check device connected by using “adb devices” command
After successfully connecting we need to install apk file that was given to us. Use following command “adb install ”
Application will install. If any dependencies are missing then app will not install. Fix them
“Logcat” is the command used to check the logs the application is logging. In order to monitor the application and see its behaviour use following
Adb logcat | findstr in windows
Adb logcat | grep < app specific keyword> in linux
App specific keyword can be its name or uniquely identified in logs
Run the application and verify the logs and its behaviour
Now we have to set the proxy for the emulator use following command
Emulator –avd “name of virtual device” –http-proxy SiteGround Web Hosting Server Default Page
Run burpsuite on port 8080.
Check the proxy by launching the android browser. It should be intercepted.
Again run logcat to view the behaviour of the application when it is proxied. If you encounter https connection then the application may not send request to server and it will throw error in the logs that can be verified

Certificate signing

If the connection is intercepted then it is fine. If the https connection is not intercepted then the real challenge comes.
Let’s say we are making use of android version 4. Now we have to find out whether the application uses android trusted store to establish https connection or its local keystore.
Verify the URL it is that it is making use of to connect to server and access that URL using browser. By doing so we can know whether the certificate is self signed or CA signed, usually test sites are self signed.
1) If CA signed
2) If self signed
1)
If CA signed then it is quite easy to compromise the android certificate trusted store. Just follow this guide. Look upto installing certificate on emulator.Open Security Research: Proxying Android 4.0 ICS and FS Cert Installer . Install certificate. <Note: you will not see your installed certificate on trusted credentials -> user certificate>
2)
If self signed then again we have to follow some other things.
Find out the URL that uses to connect to server.
Set proxy to browser and use burp suite as proxy server (port as your wish usually 8080). Access the URL (https://name.com/) in pc browser and intercept the connection using burp suite.
Browser will display error. Add the certificate to exception list. Then go to tools->options->Advanced->encryption and view certificates button. Check for the portswigger certificate for that particular domain name (E.g . portswigger cert if google is intercepted, the portwigger google certificate).
Select the certificate and click on export. Appen (.cer) to the name of the file and save it. A certificate will be created on your desktop


Find local keystore

If we are lucky then we can find in logs the process that is making request to server and accepting response. Use (adb logcat | grep )
Follow steps to find local keystore
Use dex2jar application to decompile the application to jar file “d2j-dex2jar< filename.apk>”. locate the code which makes HTTPS connection and fine lines like these

KeyStore localKeyStore = KeyStore.getInstance("BKS");
InputStream localInputStream = this.context.getResources().openRawResource(R.raw. Name _of_file.BKS);
try
{
localKeyStore.load(localInputStream, "pass".toCharArray());

if you find lines then application uses local keystore to create https connection.
Now we need to again decompile the application to smali files.
Use APKTOOL to decompile it. Use the following command “apktool d ”. output will be generated. Search for BKS format certificate. If you find it the its bingo. Now we have to replace the certificate with our burp suite public certificate


BKS format certificate creation

Google it for BKS format certificate creation. We have bunch of tutorials. While creating BKS format certificate the “store pass” should be given as the keyword specified in the following line (here as pass) <localKeyStore.load(localInputStream,"pass".toC harArray());>


Final steps

The created BKS format certificate has to be replaced with our own created BKS certificate.
We have to build the application using apktool. Use following command
Apktool b “application directory”
Install the application on emulator using following command
“Adb install ”
Again restart the emulator by setting the proxy ( emulator –avd “virtual device name” –http-proxy SiteGround Web Hosting Server Default Page )
Now start the application. BURP suite will definitely intercept the connection ....... J

...HAPKING...