Trying to extract SSL client certificate from android app

Question

I'm trying to find out a specific request from an android application to its API server. Using Burp Suite, I get a handshake failure alert. Using fiddler it asks me to provide a custom certificate.

Now I have used apktool to de-compile the application, and I have found these files:

arsalan-ha.quizofkings.com.pem
certificate.crt
private_key.pfx
root-ca.crt
x1.pfx

But they don't look like certificates. They are secrets used to generate certificates most likely, if I'm correct.

I've uploaded the files here

Could I use these secrets (if they are), to generate certificates and try one by one?

Why do you think those certificate files are not certificates? — schroeder, Mar 02 '20 at 17:12
@schroeder passing them to Burp gives error of invalid length, also their contents are not what I have seen as an ssl certificate. — Ali Padida, Mar 02 '20 at 17:14
@schroeder are there any tools to help me find out the encryption algorithm? — Ali Padida, Mar 02 '20 at 17:37

score 4 · Answer 1 · answered Mar 02 '20 at 17:26

4

Sounds like a good excuse for you to read up on certificate file formats, and spend some time with openssl or another cert viewer (personally I like KeyStore Explorer) until you figure out what format those files are in, and what format Burp is expecting.

For a client cert, usually Burp wants the certificate + matching private key bundled together into a single .p12 file. I'm not going to download your files because security, but my guess is that you will need to combine certificate.crt + private_key.pfx into a single .p12 file using openssl / KeyStore Explorer. If private_key.pfx is a password-protected file, then you may need to do some more reverse-engineering of the application binary to find that password.

answered Mar 02 '20 at 17:26

Mike Ounsworth

58,107
21
154
209

Thanks for the details, file contents are much alike as of format. This is what "certificate.crt" has for example: https://i.ibb.co/7SyVm54/cer.png What tools would help me reverse-engineer more? Sorry for the trouble. – Ali Padida Mar 02 '20 at 17:45
These are binary files, not text files, so Notepad won't know how to render it. As I said above, my favourite tool for working with certificate files is [KeyStore Explorer](https://keystore-explorer.org/). The openssl command-line util is also a good choice – Mike Ounsworth Mar 02 '20 at 18:54
I asked a question here to explain the difference between certificates and private keys: https://security.stackexchange.com/q/226747/61443 – Mike Ounsworth Mar 03 '20 at 18:36

score 1 · Accepted Answer · answered Mar 10 '20 at 00:17

I was able to extract the certificate and password with the help of running Frida server on a rooted Android >= 4.2 device and then running a script after attaching to the application.

Here's the link to the related script tutorial: http://ceres-c.it/frida-android-keystore/

Note:

There was no need to use keytool to re-generate the certificate mentioned at the end of the article. Because it was a PKCS12 certificate and enough to import in Burp's Client SSL Certificates.

After that the application's server accepted the requests.

Hope it helps others.

thanks for the script, managed to get a client cert from an app i was debugging! The link doesn’t seem to work anymore, the full url now is https://ceres-c.it/2018/12/16/frida-android-keystore/ — thiezn, Sep 12 '22 at 16:35

Trying to extract SSL client certificate from android app

2 Answers2

Linked