LogoLogo
  • About Me
  • Notes
    • Android Pentesting
      • First Android App
      • ADB
      • The INTERNET Permission
      • Installing Certificate in User Store
      • Installing system certificates
      • Install system certificates on android 14
      • apktool (for patching and decompiling)
      • Advanced Network interception using VPN
      • DNS Spoofing and Transparent Proxy
      • HTTP Mock
      • APK
      • Static analysis
        • Getting APK from a Device
      • Case Study: A Weather App
      • Frida & Objection
      • Frida Scripts
        • Tracing Activities
        • Tracing Fragments
      • Frida Trace
      • SSL Validation Bypasses
Powered by GitBook
On this page

Was this helpful?

  1. Notes
  2. Android Pentesting

Install system certificates on android 14

PreviousInstalling system certificatesNextapktool (for patching and decompiling)

Last updated 2 days ago

Was this helpful?

This method also requires root access. First install your proxy certificate as a regular user cert. Then run the following script created by Tim Perry from :

# Create a separate temp directory, to hold the current certificates
# Otherwise, when we add the mount we can't read the current certs anymore.
mkdir -p -m 700 /data/local/tmp/tmp-ca-copy

# Copy out the existing certificates
cp /apex/com.android.conscrypt/cacerts/* /data/local/tmp/tmp-ca-copy/

# Create the in-memory mount on top of the system certs folder
mount -t tmpfs tmpfs /system/etc/security/cacerts

# Copy the existing certs back into the tmpfs, so we keep trusting them
mv /data/local/tmp/tmp-ca-copy/* /system/etc/security/cacerts/

# Copy our new cert in, so we trust that too
cp /data/misc/user/0/cacerts-added/* /system/etc/security/cacerts/

# Update the perms & selinux context labels
chown root:root /system/etc/security/cacerts/*
chmod 644 /system/etc/security/cacerts/*
chcon u:object_r:system_file:s0 /system/etc/security/cacerts/*

# Deal with the APEX overrides, which need injecting into each namespace:

# First we get the Zygote process(es), which launch each app
ZYGOTE_PID=$(pidof zygote || true)
ZYGOTE64_PID=$(pidof zygote64 || true)
# N.b. some devices appear to have both!

# Apps inherit the Zygote's mounts at startup, so we inject here to ensure
# all newly started apps will see these certs straight away:
for Z_PID in "$ZYGOTE_PID" "$ZYGOTE64_PID"; do
    if [ -n "$Z_PID" ]; then
        nsenter --mount=/proc/$Z_PID/ns/mnt -- \\
            /bin/mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts
    fi
done

# Then we inject the mount into all already running apps, so they
# too see these CA certs immediately:

# Get the PID of every process whose parent is one of the Zygotes:
APP_PIDS=$(
    echo "$ZYGOTE_PID $ZYGOTE64_PID" | \\
    xargs -n1 ps -o 'PID' -P | \\
    grep -v PID
)

# Inject into the mount namespace of each of those apps:
for PID in $APP_PIDS; do
    nsenter --mount=/proc/$PID/ns/mnt -- \\
        /bin/mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts &
done
wait # Launched in parallel - wait for completion here

echo "System certificate injected"
HTTP Toolkit