How to Intercept Traffic of Android Studio Emulator

In this blog, I and Amish have explained how we can capture any application network traffic in Android Studio Emulator.

To begin, export the Burp certificate in the ‘DER’ format and save it to the base system, as illustrated in the following figure:

Next, utilizing OpenSSL, convert the DER file to a PEM file. Afterward, rename the PEM file with the certificate hash and proceed to push the certificate to the emulator’s ‘/sdcard’ folder, as depicted in the figure below:

openssl x509 -inform DER -in burpcert.der -out burpcert.pem
openssl x509 -inform PEM -subject_hash_old -in burpcert.pem | head -1
mv burpcert.pem 9a5ba575.0
adb push 9a5ba575.0 /sdcard

Please note that this step is optional. However, if you wish to run ‘emulator.exe’ from the command line irrespective of the current path, you’ll need to configure the following environment variables:

To modify the certificate in the system folder, it’s necessary to open the emulator in writable mode. This can be achieved by executing the following commands:

emulator.exe -list-avds
emulator.exe -writeable-system -avd "OUTPUT_OF_ABOVE_COMMAND"

To incorporate the Burp certificate, it’s essential to copy it to both the Android security ‘cacerts’ and Google ‘cacerts’ folders. This can be accomplished by executing the following command, as illustrated below:

adb shell
su
cd /sdcard
mkdir -m 700 mycerts
cp 9a5ba575.0 mycerts/
cp /system/etc/security/cacerts/* mycerts/
mount -t tmpfs tmpfs /system/etc/security/cacerts
cp mycerts/* /system/etc/security/cacerts/
chown root:root /system/etc/security/cacerts/*
chmod 644 /system/etc/security/cacerts/*
chcon u:object_r:system_file:s0 /system/etc/security/cacerts/*
mkdir -m 700 mycerts_google
cp 9a5ba575.0 mycerts_google/
cp /system/etc/security/cacerts_google/* mycerts_google/
mount -t tmpfs tmpfs /system/etc/security/cacerts_google
cp mycerts_google/* /system/etc/security/cacerts_google/
chown root:root /system/etc/security/cacerts_google/*
chmod 644 /system/etc/security/cacerts_google/*
chcon u:object_r:system_file:s0 /system/etc/security/cacerts_google/*

Launch any application from the emulator, and as depicted below, you’ll observe that we successfully intercepted the traffic.

After restarting the emulator, it’s necessary to rerun the following command to resume intercepting the traffic.

adb shell
su
cd /sdcard
mount -t tmpfs tmpfs /system/etc/security/cacerts
cp mycerts/* /system/etc/security/cacerts/
chown root:root /system/etc/security/cacerts/*
chmod 644 /system/etc/security/cacerts/*
chcon u:object_r:system_file:s0 /system/etc/security/cacerts/*
mount -t tmpfs tmpfs /system/etc/security/cacerts_google
cp mycerts_google/* /system/etc/security/cacerts_google/
chown root:root /system/etc/security/cacerts_google/*
chmod 644 /system/etc/security/cacerts_google/*
chcon u:object_r:system_file:s0 /system/etc/security/cacerts_google/*

References:

Avatar
Sanjay Gondaliya
Associate Director

My research interests include automation in pentration testing.