Android 14 Root Certificate Installation Bypass

Language/日本語

Overview

Android 14 and later make it difficult to install a trusted Root certificate on the system.

• https://httptoolkit.com/blog/android-14-breaks-system-certificate-installation/

Describe the steps to bypass.

Bypass point

API-34 has been reading certificates from "/apex/com.android.conscrypt/cacerts" in the process of reading system certificates. However, when the system property is set to "system.certs.enabled", the code is to retrieve certificates from "/system/etc/security/cacerts/".

• https://android-review.googlesource.com/c/platform/prebuilts/fullsdk/sources/+/2704396/1/android-34/android/security/net/config/SystemCertificateSource.java

private static File getDirectory() {
    if ((System.getProperty("system.certs.enabled") != null)
            && (System.getProperty("system.certs.enabled")).equals("true")) {
        return new File(System.getenv("ANDROID_ROOT") + "/etc/security/cacerts");
    }
    File updatable_dir = new File("/apex/com.android.conscrypt/cacerts");
    if (updatable_dir.exists()
            && !(updatable_dir.list().length == 0)) {
        return updatable_dir;
    }
    return new File(System.getenv("ANDROID_ROOT") + "/etc/security/cacerts");
}

Use this specification for bypass processing.

concrete procedure

We've prepared several methods below

• How to use Frida-Script
• How to use Xposed Module
• How to use Magisk Module

How to use Frida-Script

Script by Frida to rewrite the system property "system.certs.enabled".

setImmediate(function () {
  console.log("[*] Starting script");
  Java.perform(function () {
    var systemClass = Java.use("java.lang.System");
    systemClass.setProperty("system.certs.enabled","true");
  })
})

Run Frida-Script

cd OverrideSysPropModule\Frida-Script
frida -U -n com.example.app -l OverrideSysProp.js

How to use Xposed Module

In this case, the Frida script must be specified at startup. It is also inconvenient for use with multiple applications.

Android Xposed Module has created an always available application.

The created Xposed Module app is placed in the "OverrideSysPropModule/Xposed-Module/app/release" folder.

Procedure

1. Magisk Install

• https://github.com/topjohnwu/Magisk/releases

2. Enable "Zygisk" and "Enforce DenyList".

3. Reboot the system.

4. Install Magisk Module.

• https://github.com/NVISOsecurity/MagiskTrustUserCerts/releases
• https://github.com/LSPosed/LSPosed/releases (Install zygisk version)

5. Install Xposed Module in the "OverrideSysPropModule" folder.

cd OverrideSysPropModule\Xposed-Module\app\release
adb install OverrideSysprop.apk

6. Install a Root certificate such as Burp for user certificates.

7. Enable the Module for the application to which you want to apply it.

TIP: After completing the procedure, your Android device may not be recognized correctly. Please restart it.

How to use Magisk-Module

Android Magisk Module has created an always available application.

The created Magisk Module is placed in the "OverrideSysPropModule/Magisk-Module/app/release" folder.

Procedure

1. Magisk Install

• https://github.com/topjohnwu/Magisk/releases

2. Enable "Zygisk" and "Enforce DenyList".

3. Reboot the system.

4. Install Magisk Module.

• https://github.com/NVISOsecurity/MagiskTrustUserCerts/releases

5. Install Magisk Module in the "OverrideSysPropModule" folder.

cd OverrideSysPropModule\Magisk-Module\app\release
adb push /sdcard/Download

6. Install a Root certificate such as Burp for user certificates.

TIP: After completing the procedure, your Android device may not be recognized correctly. Please restart it.