TrustManager is a part of the security system in Android that manages the validation of SSL/TLS certificates during secure connections. It verifies the authenticity and integrity of certificates presented by remote servers.
The certificate chain is a hierarchy of digital certificates used to verify the authenticity of an SSL/TLS certificate. It consists of a server certificate, signed by a Certificate Authority (CA), which in turn is validated by a hierarchy of certificates until it reaches a trusted Root Certificate Authority.
TrustManager uses this chain to verify whether a certificate presented by a server is trustworthy, based on the trust of the Certificate Authorities installed on the device. If the server's certificate chain connects to a trusted Certificate Authority, the certificate is considered valid.
Installing the Burp Suite certificate into the system certificate store is a known way to bypass TrustManager validation in some cases. By installing the Burp Suite certificate authority (CA) certificate into the system's certificate store, you can force the device to trust certificates issued by that authority. This can allow successful interception of SSL/TLS traffic in applications that trust the operating system's TrustManager.
When SSL Pinning is implemented, certificate validation using the operating system's default TrustManager is replaced with custom verification logic defined by the developer in the application. This means that even though the Android system's default TrustManager may accept a certificate as valid, the application will explicitly check the specific certificates that have been encoded in SSL Pinning.
However, in certain cases, even with the implementation of SSL Pinning, developers may not have correctly or adequately configured SSL Pinning, leaving a loophole that allows for incomplete or incorrect verification of certificates.
There are situations in which, even with SSL Pinning implemented, the application does not perform the correct verification of certificates, either due to flaws in the SSL Pinning implementation, or due to some other flaw in the code that allows the default TrustManager to be used in some way.
*Even without the burp certificate installed in the system, using some scripts such as multiple-ssl-pinning it is possible to bypass the trustmanager validation.
-> Start your proxy
-> Configure an HTTP proxy server on the device, redirecting HTTP traffic through the proxy server located at :. This directs HTTP traffic through the specified IP address and port. or
adb shell settings put global http_proxy <ip>:<port>
-> Redirect 100% HTTP and HTTP traffic to tunnel ADB on port 8080
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8080
-> Establishes reverse port forwarding, allowing services on port 8080 on the Android device to be accessed from port 8080 on the host computer.
adb reverse tcp:8080 tcp:8080
-> See if there are any rules configured for reverse
adb reverse --list
-> Remove reverse configuration
adb reverse --remove-all
-> Remove global proxy configuration
adb shell settings put global http_proxy :0
-> Download your proxy certificate
-> Send the Burp Suite certificate to the device
adb push cacert.cer /sdcard/Download/
-> Install Certificate
-> Convert .cer para .pem
openssl x509 -inform DER -in cacert.der -out cacert.pem
-> Read the first line of the certificate to get the certificate id hash
openssl x509 -inform PEM -subject_hash_old -in cacert.pem | head -1
-> Change the certificate name to the found hash id .0
mv cacert.pem <hash_id>.0
adb push <hash_id>.0 /sdcard/Download
-> list avds
emulator -list-avds
-> Start the emulator with restriction permission in /system
emulator -avd <avd_name> -writable-system -netdelay none -netspeed full -no-snapshot -debug-init
adb root
adb remount
adb shell mv /sdcard/Download/<hash_id>.0 /system/etc/security/cacerts/
adb shell chmod 644 /system/etc/security/cacerts/<hash_id>.0
adb reboot
To use the emulator command, it is necessary to add an environment variable to C:\Users\<your_user>\AppData\Local\Android\Sdk\emulator
It helps in automated reverse engineering of Flutter applications using the corrected version of the Flutter library that is already compiled and ready for application repackaging to facilitate the interception of requests to a proxy.
https://github.com/Impact-I/reFlutter
-> Install reflutter
pip3 install reflutter==0.7.7
-> running reflutter
reflutter main.apk
This tool is used to sign the application in an automated way
https://github.com/patrickfav/uber-apk-signer
-> running uber-apk-signer
java -jar uber-apk-signer.jar --apks /path/to/apks