This is a quick guide to set up a basic Android 13 or earlier testing environment. I’ve also automated a good portion of it! You can find that script here: https://github.com/bthrx/RitualAutomaton
For Android 14 (API v34), Android has implemented a new security measure for remotely managing System Level certificates from Google Play using APEX(Android Pony Express) containers. There are a few ways around this I’ve been reading about but haven’t played with them yet. I will post a separate blog for Android 14 and later once I’ve found a method I like. You can read a create breakdown of the changes from HTTP Toolkit: https://httptoolkit.com/blog/android-14-breaks-system-certificate-installation
Creating an emulator
Here you have a few options. You can download and set up the command line tools and use avdmanager. I’ve found prefer a GUI for this step, and I like looking at code in Android Studio so I recommend installing and using that and is the method I will be covering.
Launch Android Studio and if you will come to this screen:
Click More Actions and open Virtual Device Manager.
Next you will be prompted to select a device definition. Once you pick which device to emulate you will have to pick a System Image. In this guide we will select API level 33 which is Android 13. You want to make sure you don’t pick an images that has Google Play. This guide will use a version without the Google APIs as well, but set up is the same if you choose Google APIs, although if you want to proxy WebView traffic you will have to set some flags in Chrome to bypass Certificate Transparency. You can read more on that from HTTP Toolkit: https://httptoolkit.com/blog/chrome-android-certificate-transparency
After selecting your System Image you will wrap up on the next screen. Give your device a name (this guide will use test_example) and click finish.
Next you will want to make sure the Android SDK tools are added to your path:
export PATH=$PATH:~/Android/Sdk/emulator:~/Android/Sdk/platform-tools:~/Android/Sdk/build-tools
At this point you can now download RitualAutomaton and follow the README.md for setting up quickly. The rest of this post will go through what this script does automatically.
Now that all of SDK tools are in your path, first you will want to launch the device.
emulator -avd test_example -writable-system
Setting the -writable-system flag will allow us to make the filesystem writable so that way we can move the certificate from your favorite proxy software. The next few steps will enable the system to be writable because it still boots up as protected by default.
First set adb to be root:
adb root
Next we will remount the filesystem so that it is writable:
adb remount
If you have previously set up a device this will return “remount successful”. If it is your first time it will tell you to reboot the device which is done with:
adb reboot
Wait until the device reboots and now we will again have to set adb to root and remount the file system:
adb root
adb remount
At this point adb remount should return “remount successful”. Now we need to install the certificate. You can do this via the command line by using openssl to calculate the hash and push it into the User store, which is how RitualAutomaton handles this step. However, I find it easier to do this manually by going into Settings and searching for Certificate and selecting CA Certificate to install it, but first we need to push the certificate to the device. In this example we are using Burpsuite and have exported the certificate as burp.der:
adb push burp.der /sdcard/Download
Ignore the warning and proceed to install the certificate from the Downloads.
At this point if you go to the Trusted credentials in Settings you will see PortSwigger listed in User certificates. Now we need to move it to the System certificates. First we want to set the permission level to 664. The hash of any Burp CA will be 9a5ba575.0
adb shell "su 0 chmod 664 /data/misc/user/0/cacerts-added/9a5ba575.0"
Now we will move the certificate to the System store:
adb shell "su 0 mv /data/misc/user/0/cacerts-added/9a5ba575.0 /system/etc/security/cacerts"
If you go back and check Trusted credentials in Settings you will now see PortSwigger listed in the System store.
Next we are going to set up a reverse proxy so that traffic from the emulated device is tunneled through adb. In this guide, I am using port 8888, and is the port used in the RitualAutomaton script.
adb reverse tcp:8888 tcp:8888
The following step is the same for this guide as well as using RitualAutomaton. Set this as the proxy on the device in the WiFi settings and set a listener on port 8888 in Burp and now you will be able to proxy traffic unless there is Certificate Pinning. In which case you’ll want to use Frida, which I will cover in another post.