Android 7.0 Nougat Burp Suite Proxy 설정 1

Android 7.0 Nougat Burp Suite Proxy 설정 1

Android 7 버전에서는 Network Security Configuration 라는 기능이 추가되었다. 이 새로운 기능은 개발자들이 앱 코드를 수정하지 않고 네트워크 보안 설정을 사용자 지정할 수 있도록 하기 위한 의도로 추가되었다.

이 기능으로 인해 Burp suite의 인증서를 추가하여도 시스템 인증서만을 신뢰하기 때문에 HTTPS 통신 패킷의 분석이 불가능하다. 이를 해결하기 위한 방법은 여러가지가 있지만 여기서는 앱을 디컴파일 하여 XML 파일을 삽입하고 Android Menifest 파일을 수정하는 방법을 다뤄보려고 한다. 이 방법의 장점은 루트 권한이 필요하지 않다는 것이다.

1. Decompile

- apk manager를 이용해 Apk 파일 Decompile

2. XML 파일 생성
- [Decompile 디렉토리]\res 디렉토리에 XML 디렉토리 생성 (없는 경우)

- network_security_config.xml 파일 생성

3. AndroidMenifest.xml 파일 수정

4. Recompile

5. Sign apk 

6. App install

이제 일반적인 방법으로 Burp suite 프록시 설정 진행 후에 앱을 실행시키면 정상적으로 HTTPS 패킷 캡쳐가 가능할 것이다.

Reference: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/november/bypassing-androids-network-security-configuration/

[참고내용]

To modify the default configuration, an XML file that specifies the custom configuration has to be created on the resources directory. The piece of code below shows an example of a configuration file that uses the user certificates container for all HTTPS connections made by the application.

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <base-config>
        <trust-anchors>
            <certificates src="system"/>
            <certificates src="user"/>
        </trust-anchors>
    </base-config>
</network-security-config>

Additionally, the file has to be referenced from the Android Manifest file, which introduces the key android:networkSecurityConfig on the application tag, as shown here:

<?xml version="1.0" encoding="utf-8"?>
<manifest ... >
    <application android:networkSecurityConfig="@xml/network_security_config"
                    ... >
        ...
    </application>
</manifest>

Re-compiling

If the assessed application is executed on Android 7 or higher - and the targetSdkVersion key is configured to version 24 (Android 7) or higher - the application probably uses the default configuration. Hence, the user certificates (i.e. proxy CA certificate) will not be trusted by the application.

The usual approach to modifying the default configuration would be to re-compile the application after inserting an XML, which activates the use of the certificate container. Once we have the APK, this process can be achieved using apktool [2], which allows the application to be manipulated.

The first task is to de-compile the application with the de-compile flag of apktool. After this process completes, an XML file has to be created on the resources directory and the AndroidManifest.xml file has to be modified to point to the Network Security Configuration file. At this point we can compile the application again with apktool and sign the generated APK file with the jarsigner tool, provided by the Java JDK.

When the APK is re-signed using an arbitrary certificate, it can be installed in the mobile phone using adb (Android Device Bridge). If the mobile is configured to send the traffic via an intermediate proxy, like Burp Suite, the HTTPS traffic could be intercepted as long as the CA certificate is installed on the system.