Edit on GitHub

#  Install System CA Certificate on Android Emulator

Since Android 7, apps ignore user provided certificates, unless they are configured to use them. As most applications do not explicitly opt in to use user certificates, we need to place our mitmproxy CA certificate in the system certificate store, in order to avoid having to patch each application, which we want to monitor.

Please note, that apps can decide to ignore the system certificate store and maintain their own CA certificates. In this case you have to patch the application.

#  1. Prerequisites

#  2. Rename certificate

CA Certificates in Android are stored by the name of their hash, with a ‘0’ as extension (Example: c8450d0d.0). It is necessary to figure out the hash of your CA certificate and copy it to a file with this hash as filename. Otherwise Android will ignore the certificate. By default, the mitmproxy CA certificate is located in this file: ~/.mitmproxy/mitmproxy-ca-cert.cer

#  Instructions

#  3. Insert certificate into system certificate store

Now we have to place our CA certificate inside the system certificate store located at /system/etc/security/cacerts/ in the Android filesystem. By default, the /system partition is mounted as read-only. The following steps describe how to gain write permissions on the /system partition and how to copy the certificate created in the previous step.

#  Instructions when using Magisk

If you want to use a production build (labeled “Google Play”; it’s those builds that have Google Play installed) you can use Magisk to obtain root in your AVD. Magisk allows root on your Android device or emulator.

See the instructions here for installing Magisk on your AVD. The instructions have been tested with API level 30, but are reportedly working with API levels 22 up to and including 30 and ‘S’ (except API level 28). Note: the instructions say to start your AVD. Do not supply an -http-proxy directive to mitmproxy at this point.

When you are done with that, your emulator will allow root. You can check this by running a terminal emulator and typing su. Magisk should ask you if you want to grant root to the program. After granting this, typing whoami would display root.

However, after you have installed Magisk, you can no longer start your emulator with -writable-system. It will cause a boot loop. (Start your AVD with -show-kernel to see the error.) But you can install your mitmproxy certificate by putting it in a Magisk module, and installing that module. Magisk will take care of copying your certificate to /system/etc/security/cacerts/ during boot.

#  Downloading the Magisk module from mitmweb

If you run mitmweb, you can get simply download the Magisk module instead of handcrafting it. Stop your AVD, and start it again with -http-proxy 127.0.0.1:8080 (or whatever IP and port combination you are running mitmweb’s proxy on).

Then, inside the AVD, start a browser and navigate to http://mitm.it/cert/magisk. You will be prompted to download mitmproxy-magisk-module.zip, which is the Magisk module you need. Store that file somewhere (like in ‘Downloads’).

Then open up Magisk, click on Modules and install your module.

Reboot your AVD.

#  Creating the Magisk module containing your certificate

If you do not run mitmweb, you’ll need to create a Magisk module yourself. See here for in-depth information on Magisk modules, but basically it boils down to this:

Create the following directories:

Place your renamed certificate from step 2 inside mitmproxycert/system/etc/security/cacerts and chmod 664 it.

Save the content of https://github.com/topjohnwu/Magisk/blob/master/scripts/module_installer.sh as a local file update-binary and place it inside mitmproxycert/com/google/android.

Create a file named updater-script containing only the string #MAGISK and place it inside mitmproxycert/com/google/android.

Create a file named module.prop and place it inside mitmproxycert. The file should contain something like:

id=mitmproxycert
name=MITM proxy certificate
version=1
versionCode=1
author=mitmproxycert
description=My shiny MITM proxy certificate to reveal all secrets and obtain world domination!

Zip the module using something like cd ./mitmproxycert ; zip -r ./../mitmproxycert.zip ./ and push it to your running AVD using adb push ./../mitmproxycert.zip /storage/emulated/0/Download/.

The go to your AVD, open up Magisk, click on Modules and install your module (you’ll find it in the Downloads folder).

Reboot your AVD.

#  Instructions for API LEVEL > 28 using -writable-system

By default, the /system partition is mounted as read-only. The following steps describe how to gain write permissions on the /system partition and how to copy the certificate created in chapter 2.

Starting from API LEVEL 29 (Android 10), it seems to be impossible to mount the “/” partition as read-write. Google provided a workaround for this issue using OverlayFS. Unfortunately, at the time of writing this (11. April 2021), the instructions in this workaround will result in your emulator getting stuck in a boot loop. Some smart guy on Stackoverflow found a way to get the /system directory writable anyway.

Keep in mind: You always have to start the emulator using the -writable-system option if you want to use your certificate. Otherwise Android will load a “clean” system image.

Tested on emulators running API LEVEL 29 and 30

#  Instructions

#  Instructions for API LEVEL <= 28 using -writable-system

Tested on emulators running API LEVEL 26, 27 and 28

Keep in mind: You always have to start the emulator using the -writable-system option if you want to use your certificate. Otherwise Android will load a “clean” system image.

#  Testing that your certificate is loaded from the system certificate store

In your AVD, go to Settings → Security → Advanced → Encryption & credentials → Trusted credentials. Find your certificate (default name is mitmproxy) in the list.