Burp Suite User Forum

Login to post

Android Chrome 99+ "Certificate Transparency" feature blocks burp certificate

小笠原徳彦 | Last updated: Apr 04, 2022 01:53AM UTC

According to Chrome release note[1], Android Chrome 99+ affects their "Certficate Transparency" policy then it reject the burp certificate which we had installed as a system certificate (with rooted device), and Chrome says any https sites has wrong certificate. How do I fix it? Or any workaround? [1] https://support.google.com/chrome/a/answer/7679408#certTrans&zippy=%2Cchrome

Michelle, PortSwigger Agent | Last updated: Apr 04, 2022 11:30AM UTC

Thanks for your message. Can you email a few more details about your setup to support@portswigger.net, please? - What steps did you take to import Burp's CA certificate? - Was this setup working with earlier versions of Chrome on Android? - What error do you see when using Android Chrome (99+)? - Are you able to proxy other browsers on Android via Burp successfully?

小笠原徳彦 | Last updated: Apr 07, 2022 12:59AM UTC

This discussion is going with private email, thus I will summerize later.

vollkorn | Last updated: Apr 28, 2022 12:38PM UTC

Any update on this? I am running in the same problem. Certificate transparency can obviously not be provided for the burp interception CA cert and Chrome 100.0.4896.127 on Android says: "NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED" Disabling the following flags in chrome://flags does not help: * Certificate Transparency 2022 Policy * Certificate Transparency 2022 Policy All Certificates

Michelle, PortSwigger Agent | Last updated: Apr 29, 2022 08:47AM UTC

Are you seeing traffic from apps and pre-installed browsers successfully being proxied via Burp? If you use Firefox are you able to proxy traffic via Burp? So far some of our test results have been a little inconsistent, so it would be good to check what you see in your environment if you perform the same test. Looking at our results, if the certificate is imported as a system certificate then this will work with apps and pre-installed browsers, when using Chrome though the certificate needs to be imported so it appears as a User certificate, which then allows Chrome to fully trust it. Can you download Burp's certificate and rename it from .der to .cer and then use Settings -> Security -> Install from SD card, please check that this is then listed as a User certificate under Trusted credentials (you may need to disable the system one at this stage), test using Chrome and let us know the results, please?

vollkorn | Last updated: May 02, 2022 03:07PM UTC

With Chrome 98 and the burp certificate installed as system certificate via the Magisk addon Move Certificates I can see traffic from apps and Chrome in Burp without problems. Same setup, but with Chrome 99 or 100 and I can see the traffic from the apps, but not the traffic from Chrome. Chrome gives the error "NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED". Firefox works fine. "Chrome" here refers to the pre-installed Chrome browser, that is updated through the Play Store and is a system app, that can only be uninstalled on a rooted phone with "pm uninstall -k com.android.chrome" on "adb shell". Following your example, when I rename the cert to .cer, install it and have the same cert in the system cert store and the user cert store, then I can intercept both (apps and Chrome) at the same time. Disabling the cert in the system cert store was not necessary.

David | Last updated: May 06, 2022 08:28AM UTC

So the only option is to import certificate in both system and user store?

Michelle, PortSwigger Agent | Last updated: May 09, 2022 12:45PM UTC

From the testing we have been doing here there is a difference in which set of certificates is used for checks in the two different scenarios, so by importing the certificate differently depending on your use case then you can still proxy the traffic via Burp.

floyd | Last updated: May 24, 2022 01:55PM UTC

This issue is still present and none of the approaches above worked for me. There are plenty of workarounds for apps (e.g. disassemble, add CA, reassemble), but there are only very few workaround if the app calls the browser (although repackaging Chrome could work too). Using Magisk Move Certificates did not do the trick, also not installing the certificate from storage or from inside the settings (in both categories, "VPN and apps" and "WiFi"). I've investigated a little. On my Android 9 phone there are now 3 locations where a CA can live: 1. Android setting "Credential Storage - Trusted Credentials - System" what you can influence with the Move Certificate Magisk add-on, copies things from "Credential Storage - Trusted Credentials - User" 2. Android setting "Credential Storage - Trusted Credentials - User" lives at /data/misc/user/0/cacerts-added/ but I'm not able to install anything here at the moment without copying files manually on the command line. There is no Android UI option for this. So I copied the Portswigger CA that was still in the System store: cp /data/adb/modules/movecert/system/etc/security/cacerts/* /data/misc/user/0/cacerts-added/ 3. Android setting "Credential Storage - User Credentials" lives at /data/misc/keystore/user_0/1010_CACERT_<NAME>. That's where CAs are now stored when I add them in the Android settings. However, nothing helped, I still get the certificate transparency error. I was able to work around the issue for one app(1) by installing Firefox (which also showed a certficiate warning). When the app called the browser, I could not ignore the certificate error, but I was able to choose "Open in Firefox" from the three-dots menu. In Firefox I was able to ignore the certificate error then. (1) Not really related, but I had to patch out certificate pinning in the smali code of the app first and I added the Portswigger CA cert in the app directly as well... Btw. this issue is also discussed here: https://github.com/Magisk-Modules-Repo/movecert/issues/15

Michelle, PortSwigger Agent | Last updated: May 25, 2022 07:40AM UTC

Thanks for your message. Our understanding of the situation is as follows. If you are using the built-in browser, mobile apps (that do not incorporate certificate pinning), or Chrome versions before 99 you should still be able to use the normal method of installing the Burp CA as a system-level trusted cert (as detailed here - https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/) Chrome versions 99 and above creates issues with this approach and means that any certificates placed into the system store by the user encounter the certificate transparency issue. What we have found with our testing is that installing the Burp CA certificate as a user-level trusted certificate means that you can proxy HTTPS traffic in Chrome 99+. You cannot, however, then proxy HTTPS traffic from apps or other browsers. Similarly, as described above, installing the cert at the system level allows you to proxy HTTPS traffic from apps and other browsers but not Chrome versions 99 and above. We have been able to get this working by disabling and re-enabling the system level certificate as required (the system store appears to take precedence over user-supplied certificates so if you have both installed and active the cert in the system store is used if you then disable the cert in the system store the cert in the user store is used). This is, admittedly, slightly fiddly and will not work if you require proxying the traffic from both Chrome 99+ and apps at the same time. We have also tried the workaround suggested here - https://httptoolkit.tech/blog/chrome-android-certificate-transparency/ - and this has also worked for us. We would be interested to know whether this approach also works for you as this would seem to be the best solution - you then only have to install the certificate at the system level whilst performing some extra configurational steps.

floyd | Last updated: Jun 27, 2022 01:22PM UTC

I can confirm the behavior. The problem is that the app I'm testing opens a Webview/Intent to Chrome, so I have to intercept both, apps and chrome. I only want to add that on my Pixel 3a I can't add any "trusted credentials" in the "User" section anymore via the UI, but I have to do: cp /data/adb/modules/movecert/system/etc/security/cacerts/* /data/misc/user/0/cacerts-added/ And then I can see them in the "User" section where I have to tap on them and then "Trust". Afterwards the solution described on https://httptoolkit.tech/blog/chrome-android-certificate-transparency/ works. I've automated the steps: https://gist.github.com/floyd-fuh/7a7d4c4aa0d479a1562feb962a579448

Jelmer | Last updated: Oct 25, 2022 11:20AM UTC

I created a Magisk module to fix this problem. https://github.com/JelmerDeHen/MagiskBypassCertificateTransparencyError The README.md also outlines steps for if you have root but no Magisk.

You need to Log in to post a reply. Or register here, for free.