Burp Suite User Forum

Login to post

Unknown_CA Error When proxying Android Traffic through Burp

Jeremy | Last updated: Jan 24, 2023 12:01PM UTC

Hello, I am using an Android Nexus 5x running Android Oreo 8.1 I have exported the Burp Certificate, converted it to the correct format and uploaded it in /system/etc/security/cacerts with the correct name and it is visible in the trusted system credentials. Following this guide to the letter: https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/ However, I am still getting "certificate_unknown" errors on all traffic via Chrome Browser or third-party applications. I have flashed the device and re-rooted in attempt to test this on a fresh device to assure nothing was going to interfere. However my BurpSuite event log is still continuing to fill with "Received Fatal Alert: unknown_ca" I am left now wondering what else I could try in attempt to get my device to recognize the Burp Certificate. Any help would be greatly appreciated.

Ben, PortSwigger Agent | Last updated: Jan 25, 2023 08:23AM UTC

Hi Jeremy, Is the version of Chrome that you are using version 99 or above? If so, you would need to carry out some further configuration, which is detailed in the post below (essentially, the certificate transparency requirements introduced in this version of Chrome mean that any certificates located in the system certificate store, including those added by the user, need to be verified through a certificate log provider and receive a signed certificate timestamp in order to be trusted. The workaround steps detailed below circumvent this requirement and should mean that you only need to install the certificate in the system store in order to work with different browsers and mobile apps): https://httptoolkit.com/blog/chrome-android-certificate-transparency/#how-to-fix-it In terms of the mobile apps - are you having issues with every app that you are proxying the traffic of or is it just certain ones?

Jeremy | Last updated: Jan 25, 2023 09:21AM UTC

Hello, So I have created multiple devices (Virtual & Physical) and adding the cert to /system/etc/security/cacerts seems to no longer work? The cert does display in the System Trusted Certificate page in the settings so I am at a complete loss. I have actually already previously updated my chrome settings however that only provides a solution for chrome itself, specifically I am having issues with applications. Though I seem to be getting TLS cert errors on every app, some apps such as play store seem to still let me proxy traffic with these errors, however the APP i am testing this week seems to not even attempt to send requests through Burp whilst a TLS error is present. # I know I have previously tested on Android 8.1 using the exact same device and above method and it worked fine.

Jeremy | Last updated: Jan 25, 2023 10:35AM UTC

It is also worth noting that the applications Network_Security_config.xml has the included line: <trust-anchors> <certificates src="@raw/{REDACTED NAME}"/> <certificates src="system"/> <certificates src="user"/> </trust-anchors> So it seems the application should be able to accept the burp certificate. I have tested this on Android 8 - Android 11. All seem to have the same response to BurpSuites certificate. To confirm that its not the infrastructure I am able to intercept traffic fine through a normal Firefox browser on my windows machine.

Ben, PortSwigger Agent | Last updated: Jan 26, 2023 08:56AM UTC

Hi Jeremy, Apologies but, just to clarify, are you able to successfully HTTPS traffic in a browser on your device (I was unsure from your messages whether this was the case) - obviously, if we have this part working we at least have a base where we know the integrity of the setup is good. In terms of the app, on the face of it, that config should mean that the app accepts both system level and user level certificates. Out of interest, what happens if you disable the system level portswigger certificate within the UI on the mobile device and install the certificate as a user supplied certificate (so that it appears in the User section of the trusted credentials screen)?

You need to Log in to post a reply. Or register here, for free.