Merge pull request #2023 from HackTricks-wiki/research_update_src_mobile-pentesting_android-app-pentesting_install-burp-certificate_20260318_132612

carlospolop · web-flow · commit 944d38d4a9ad · 2026-03-18T14:42:27.000+01:00
Research Update Enhanced src/mobile-pentesting/android-app-p...
diff --git a/src/mobile-pentesting/android-app-pentesting/install-burp-certificate.md b/src/mobile-pentesting/android-app-pentesting/install-burp-certificate.md
@@ -45,9 +45,9 @@ adb reboot #Now, reboot the machine
 
 Once the **machine finish rebooting** the burp certificate will be in use by it!
 
-## Using Magisc
+## Using Magisk
 
-If you **rooted your device with Magisc** (maybe an emulator), and you **can't follow** the previous **steps** to install the Burp cert because the **filesystem is read-only** and you cannot remount it writable, there is another way.
+If you **rooted your device with Magisk** (maybe an emulator), and you **can't follow** the previous **steps** to install the Burp cert because the **filesystem is read-only** and you cannot remount it writable, there is another way.
 
 Explained in [**this video**](https://www.youtube.com/watch?v=qQicUW0svB8) you need to:
 
@@ -59,21 +59,33 @@ Explained in [**this video**](https://www.youtube.com/watch?v=qQicUW0svB8) you n
 
 <figure><img src="../../images/image (54).png" alt="" width="334"><figcaption></figcaption></figure>
 
-2. **Make it System trusted**: Download the Magisc module [MagiskTrustUserCerts](https://github.com/NVISOsecurity/MagiskTrustUserCerts) (a .zip file), **drag&drop it** in the phone, go to the **Magics app** in the phone to the **`Modules`** section, click on **`Install from storage`**, select the `.zip` module and once installed **reboot** the phone:
+2. **Make it System trusted**: Download the Magisk module [MagiskTrustUserCerts](https://github.com/NVISOsecurity/MagiskTrustUserCerts) (a .zip file), **drag&drop it** in the phone, go to the **Magisk app** in the phone to the **`Modules`** section, click on **`Install from storage`**, select the `.zip` module and once installed **reboot** the phone:
 
 <figure><img src="../../images/image (55).png" alt="" width="345"><figcaption></figcaption></figure>
 
 - After rebooting, go to `Trusted credentials` -> `SYSTEM` and check the Postswigger cert is there
 
 <figure><img src="../../images/image (56).png" alt="" width="314"><figcaption></figcaption></figure>
 
-### Learn how to create a Magisc module
+### Alternative: AlwaysTrustUserCerts (Android 7-16 Beta)
+
+If you're on Android 14+ (or on older devices that received Conscrypt Mainline updates and now use `/apex/com.android.conscrypt/cacerts`), the Magisk module **AlwaysTrustUserCerts** automates the bind-mounting required for system trust. It mirrors user CAs into system trust and injects mounts into Zygote/app namespaces so apps see the certs without manual `nsenter` work.
+
+1. Install the Burp CA as a **user** cert first.
+2. Install the module and reboot.
+3. If the module offers a choice, prefer `--rbind` when mounting `/system/etc/security/cacerts` into `/apex/com.android.conscrypt/cacerts` to ensure nested mounts (from other modules) are visible.
+
+### Learn how to create a Magisk module
 
 Check [https://medium.com/@justmobilesec/magisk-for-mobile-pentesting-rooting-android-devices-and-building-custom-modules-part-ii-22badc498437](https://medium.com/@justmobilesec/magisk-for-mobile-pentesting-rooting-android-devices-and-building-custom-modules-part-ii-22badc498437)
 
 ## Post Android 14
 
-In the latest Android 14 release, a significant shift has been observed in the handling of system-trusted Certificate Authority (CA) certificates. Previously, these certificates were housed in **`/system/etc/security/cacerts/`**, accessible and modifiable by users with root privileges, which allowed immediate application across the system. However, with Android 14, the storage location has been moved to **`/apex/com.android.conscrypt/cacerts`**, a directory within the **`/apex`** path, which is immutable by nature.
+In the latest Android 14 release, a significant shift has been observed in the handling of system-trusted Certificate Authority (CA) certificates.
+
+Note: Some Android 12/13 devices that received **Conscrypt Mainline** updates already use `/apex/com.android.conscrypt/cacerts`. If that directory exists on your device, you must use the same APEX injection technique described below.
+
+Previously, these certificates were housed in **`/system/etc/security/cacerts/`**, accessible and modifiable by users with root privileges, which allowed immediate application across the system. However, with Android 14, the storage location has been moved to **`/apex/com.android.conscrypt/cacerts`**, a directory within the **`/apex`** path, which is immutable by nature.
 
 Attempts to remount the **APEX cacerts path** as writable are met with failure, as the system does not allow such operations. Even attempts to unmount or overlay the directory with a temporary file system (tmpfs) do not circumvent the immutability; applications continue to access the original certificate data regardless of changes at the file system level. This resilience is due to the **`/apex`** mount being configured with PRIVATE propagation, ensuring that any modifications within the **`/apex`** directory do not affect other processes.
 
@@ -150,8 +162,12 @@ echo "System certificate injected"
 2. **Preparing CA Certificates**: Following the setup of the writable directory, the CA certificates that one intends to use should be copied into this directory. This might involve copying the default certificates from `/apex/com.android.conscrypt/cacerts/`. It's essential to adjust the permissions and SELinux labels of these certificates accordingly.
 3. **Bind Mounting for Zygote**: Utilizing `nsenter`, one enters the Zygote's mount namespace. Zygote, being the process responsible for launching Android applications, requires this step to ensure that all applications initiated henceforth utilize the newly configured CA certificates. The command used is:
 
+Tip: If `/system/etc/security/cacerts` contains nested mounts (common with Magisk modules), use `--rbind` instead of `--bind` so those mounts propagate into app namespaces.
+
 ```bash
 nsenter --mount=/proc/$ZYGOTE_PID/ns/mnt -- /bin/mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts
+# If /system/etc/security/cacerts includes nested mounts, prefer --rbind
+nsenter --mount=/proc/$ZYGOTE_PID/ns/mnt -- /bin/mount --rbind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts
 ```
 
 This ensures that every new app started will adhere to the updated CA certificates setup.
@@ -167,6 +183,8 @@ nsenter --mount=/proc/$APP_PID/ns/mnt -- /bin/mount --bind /system/etc/security/
 ## References
 
 - [Android 14: Install a system CA certificate on a rooted device](https://httptoolkit.com/blog/android-14-install-system-ca-certificate/)
+- [Intercepting traffic on Android with Mainline and Conscrypt](https://blog.nviso.eu/2025/06/05/intercepting-traffic-on-android-with-mainline-and-conscrypt/)
+- [AlwaysTrustUserCerts Magisk module](https://github.com/NVISOsecurity/AlwaysTrustUserCerts)
 - [Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools)
 
 {{#include ../../banners/hacktricks-training.md}}
