Cert-Fixer : Simplify your CA certificates installation

Hi guys,

It's me again. Today I'm writing to share on a module which would help starts your journey in Mobile Application Penetration Testing. 

As of year 2025, most of the application would require at least Android 10 version. That means most of the old phone you have would be out from being converted into a testing device. The thing about older android version is that, it is much easier to install a user certificate. Easier way to install user certificate means easier way to setup your Android testing device. Starting from Android 11, the setup become much harder. You can read further below.

https://httptoolkit.com/blog/android-11-trust-ca-certificates/

Below blog is the way that I used (super tedious) before to install a user certificate as root level.

https://medium.com/@lightbulbr/install-burp-ca-as-a-system-level-trusted-ca-android-11-rooted-physical-device-5542fe96345f

For testing purpose, we would need Burpsuite certificate to be installed as root level. Lucky for us now that a group of people develop a module for Magisk to simplify the process.

https://github.com/pwnlogs/cert-fixer

Since this is a Magisk module, you can just download the zip file and import it into Magisk. After importing you can install Burp certificate and it would get registered as user level certificate.


After the Cert-Fixer module is installed. You can just restart and it would automatically pull the cert into root level certificate.



As you can see, the Burp certificate is registered as root level certificate. We can now start intercepting request from any application.

Shout out to those people that develop those module as it's simplify the process.

The main reason I'm writing this is also because I'm on OnePlus6 (Android 11) which is not included in the list of physical device that works with the module.

Hope this helps for other user on Android 11 or OnePlus 6 devices.

Cheers.


Comments

Post a Comment

Popular posts from this blog

Petraware pTransformer ADC before 2.1.7.22827 allows SQL Injection via the User ID parameter to the login form.

Image
Hi All, Today I will share POC on vulnerability found during pentest. As per the title, I recently found SQL Injection vulnerability on a thick client.  To read more about thick client, click here :  https://techterms.com/definition/thickclient Thick clients, also called heavy clients, are full-featured computers that are connected to a network.  While a thick client is fully functional without a network connection, it is only a "client" when it is connected to a server. The server may provide the thick client with programs and files that are not stored on the local machine's hard drive.   Exploit Title:   Petraware pTransformer ADC before 2.1.7.22827 allows SQL Injection via the User ID parameter to the login form. Details & Description :   SQL injection is a vulnerability that allows an attacker to alter backend SQL statements by manipulating the user input. An SQL injection occurs when web applications accept user input that is directly pl...
Read more

Setting up MobSF in Ubuntu 18.04

Image
Hi guys, It's been a while since I last updated the blog. Been busy. So, for today I will be giving guide on how to setup MobSF in Ubuntu 18.04 . There is a lot of guide out there about how to setup MobSF. I'm here to give out step by step guide to set it up as per my own experience. The main reason of using Ubuntu 18.04 is because it has a built-in Python 3.6 and pip3 version 9.0.1 which is the requirements to setup MobSF. It's pretty much simplify the process of setting up MobSF. *Note that this is a guide to setup MobSF for static analysis. For dynamic analysis, you can refer to MobSF page in github. MobSF also known as Mobile Security Framework is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static analysis, dynamic analysis, malware analysis and web API testing. Can further read about MobSF here:  https://github.com/MobSF/Mobile-Security-Framework-MobSF For Ubuntu 18.04 can be downloaded ...
Read more

Setting up RMS in Ubuntu 18.04

Image
Hi peeps, It's been a while since my last post. Been busy. So, for today I would like to share on how to setup RMS (Runtime Security Mobile) in Ubuntu 18.04. RMS -  https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security "Runtime Mobile Security (RMS), powered by FRIDA, is a powerful web interface that helps you to manipulate Android and iOS Apps at Runtime." "You can easily dump all the loaded classes and relative methods, hook everything on the fly, trace methods args and return value, load custom scripts and many other useful stuff." This is a continuation of my post here  https://faudhzanrahman.blogspot.com/2019/09/setting-up-mobsf-in-ubuntu-1804.html  where I did a setup on MobSF.  I'm currently trying to set a box where it contains all sort of testing tools specifically for mobile . Now I have both MobSF and RMS setup in this box which is the Ubuntu 18.04. The same reason of setting RMS in this box is because the requirements fits Ubuntu 18.04. T...
Read more