# Burp Suite SSL Pinning

Since the "traditional" way of installing a user certificate doesn't work anymore in Nougat and above, for me the easiest solution is to install the Burp CA to the system trusted certificates. You can see all the system CAs that are bundled with an Android device by going to *Settings -> Security -> Trusted Credentials* and viewing system CAs. You'll see the similar CAs you'd see in a browser bundle.

Trusted CAs for Android are stored in a special format in `/system/etc/security/cacerts`. If we have root privileges, it's possible to write to this location and drop in the Burp CA (after some modification).

{% hint style="info" %}
Remove all existed PortSigger Cert (if not, the whole thing does not work)
{% endhint %}

**Export and convert the Burp CA**\
The first step is to get the Burp CA in the right format. Using Burp Suite, export the CA Certificate in DER format. I saved it as `cacert.der`

![](/files/-M4WgmYOpOIbj0YoGtKp)

Android wants the certificate to be in PEM format, and to have the filename equal to the `subject_hash_old` value appended with `.0`.

*Note: if you are using OpenSSL <1.0, it's actually just the `subject_hash`, not the "old" one*

Use `openssl` to convert DER to PEM, then output the `subject_hash_old` and rename the file:

```
openssl x509 -inform DER -in cacert.der -out cacert.pem  
openssl x509 -inform PEM -subject_hash_old -in cacert.pem |head -1  
mv cacert.pem <hash>.0  
```

For example, with my certificate:

![](/files/-M4WgzytOno8KKe_jtKg)

**Copy the certificate to the device**\
We can use `adb` to copy the certificate over, but since it has to be copied to the `/system` filesystem, we have to remount it as writable. As root, this is easy with `adb remount`.

```
 adb push <cert>.0 /sdcard/
 mount -o rw,remount /system
 mount -o ro,remount /system  
```

The just drop into a shell (`adb shell`) and move the file to `/system/etc/security/cacerts` and chmod it to 644:

```
mv /sdcard/<cert>.0 /system/etc/security/cacerts/  
chmod 644 /system/etc/security/cacerts/<cert>.0  
```

Lastly, we have to full reboot the device with either `adb reboot` or a power cycle.

![](/files/-M4Wh7NmPRcPQTbqVOms)

After the device reboots, browsing to *Settings -> Security -> Trusted Credentials* should show the new "Portswigger CA" as a system trusted CA.

![](/files/-M4WhC0V7grEQycP_Onf)

Now it's possible to set up the proxy and start intecepting any and all app traffic with Burp :)

P/s: This article had been built up for my personal use cases, and it's originally taken from this [write-up](https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://enderspub.kubertu.com/burp-suite-ssl-pinning.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.