On preview version of Android 11 I got an error when trying to install CA certificate:
Intent intent = new Intent("android.credentials.INSTALL");
intent.putExtra("name", getCertName());
intent.putExtra("CERT", getCert());
startActivity(intent);
The error message is:
Can't install CA certificates
CA certificates can put your privacy at risk and must be installed in
Settings.
I haven't found nothing on Android documentation about this change. Any ideas? Any workarounds (except to install it manually from settings)?
UPDATE (28/4):
Found a bug in issuetracker: https://issuetracker.google.com/issues/151858120
I have also face same issue.
Please follow below steps in android 11 or 11+.
In Android 11, to install a CA certificate, users need to manually:
Open Device settings
Go to 'Security'
Go to 'Encryption & Credentials'
Go to 'Install from storage' or 'Install a certificate' (depend on devices)
Select 'CA Certificate' from the list of types available
Accept a warning alert.
Browse to the certificate file on the device and open it
Confirm the certificate install
On "modern" Samsung phones
it's hidden in Settings -> Biometrics and security -> Other security settings -> Install from device storage -> CA Certificate -> Install Anyway
There's a tiny note about this in the Android 11 enterprise changelog here, which says:
Note: Apps installed on unmanaged devices or in a device's personal profile can no longer install CA certificates using createInstallIntent(). Instead, users must manually install CA certificates in Settings.
Sounds very much like this is intentional, and you won't be able to get around it on normal unmanaged devices. You'll either need to look into full Android device management, or provide instructions to your users on doing manual setup instead.
Note that registering your app as a normal device admin app is not sufficient either. To use the remaining DevicePolicyManager.installCaCert API your app must be the owner of the device or profile.
That means from Android 11+, you can do automatic setup for CA certs used only within separate & isolated work profiles on the device, or for fresh devices that you provision with your app pre-installed, and nothing else.
If you'd like this behaviour changed, there's an issue you can star & comment on in the Android tracker here: https://issuetracker.google.com/issues/168169729
Related
I am using an android emulator (Pixel_3a_API_32_arm64-v8a) and need to install Charles Proxy there. As per the step I have already set up the wifi settings(i.e change proxy to manual and then set up the proxy hostname and proxy port in the wifi setting). Also, I have downloaded the SSL certificate using http://chls.pro/ssl. But on trying to install it I am getting an error in my android emulator.
Error
This certificate from null must be installed in Settings. Only install CA certificates from organizations you trust.
On recent Android versions, it's no longer possible to install system certificates, and installing user certificates is much harder. It's not possible to just open the file normally to install it, and apps can't show you any prompts to trigger installation either.
For more details on the change and how this works, see https://httptoolkit.tech/blog/android-11-trust-ca-certificates/
The actual steps you need are:
Open settings
Go to 'Security'
Go to 'Encryption & Credentials'
Go to 'Install from storage'
Select 'CA Certificate' from the list of types available
Accept a large scary warning
Browse to the certificate file on the device and open it
Confirm the certificate install
I have followed instructions on how to add fiddler certificate on android emulator, using both nox and memu emulators, as well as my android phone running marshmallow, I set the WiFi proxy to point to my PC over the local network, when I open a website using a web browser, things work fine, I receive the warning, I choose to proceed and the connection is successfully tunneled and decrypted using fiddler.
But, when I try to use other apps, connections fail! I see the tunnel connections, and then connection fails. My bet is, it's due to the invalid HTTPS certificate, so my question is, is there a way for me to install fiddler to the trusted authorities so connecting to it will go through without the warning? So I can finally debug HTTPS traffic from and to those apps.
I found similar questions here on SO, but none of them were exactly the same as mine, nor did they have the right answers, so I'm not sure if this question does in fact qualify as a duplicate.
Thanks
On modern Android devices using apps developed for target API Level 24 (Android 7) or higher sniffing traffic is not that simple anymore. The target API level of an app is defined it's AndroidManifest.xml file in the entry <uses-sdk android:targetSdkVersion="??"/>.
The main problem is that if you install the Fiddler root CA certificate in Android it is marked as user certificate (not system certificate). And unless explicitly configured in an app those user certificates are not trusted.
One of those rare apps that respect user CA certificates is Chrome. So using Chrome for testing if the proxy and the installed root CA certificate works is a bad idea, as it may only work in Chrome but not for apps.
Note that some apps further use certificate pinning (leaf or root CA pinning). Therefore even if the Fiddler root CA certificate is installed as system certificate the app won't trust this certificate as it fails on the certificate pinning.
Certificate pinning is also a web site feature, hence some sites save a certificate hash in the web browser cache that pins the site to a certain certificate. In such a case clearing the browser cache is usually removing those pinning data.
Rooted devices
If your device is rooted you can try to install the Fiddler root CA certificate as system certificate. The Mitmproxy documentation contains a how-to for manually installing the mitmproxy certificate.
If you have rooted the phone using Magisk, there is a Magisk module that seems to be able to install user certificates automatically as system certificates: https://github.com/NVISO-BE/MagiskTrustUserCerts
Alternatively you can install Magisk + Edxposed + TrustMeAlready Xposed module. This allows to disable certificate checking system wide - WARNING: this eliminates the security of SSL/TLS against active attacks, for all apps on the phone. Therefore only do this on a device you use just for hacking!
Also possible is installing and run Frida-Server on the device and hook into the app you are interested to modify the SSL/TLS certificate checking at run-time. AFAIK the Frida based framework Objection has some scripts to do so.
Non-rooted device
On a non-rooted device there is only the option to modify the application before you install it onto the device. Note that some apps will detect that they have been modified and will refuse to work.
To let the app trust user certificates you have to modify network_security_config.xml (see e.g. here) included in the app. You can use apktool to decompile/recompile the app. Don't forget to re-sign the recompiled/repackaged app e.g. using apksigner from Android SDK.
There are some tools available that automate the decompiling , modification and signing like apk-mitm.
There is also the possibility to modify an app by including the Frida gadget for Android into the app. This would allow to use Frida for this specific app on a non-rooted device.
I tried both DER and PEM formats. I tried using the file extensions crt, cer, p12, pem but nothing of them get imported. I went into Settings > Security > Install from SD card and it takes me to the Downloads page. I have the certificates listed but when I click on them, nothing happens.
Updated to add: I ended up going back to 4.3. It works fine in that.
Go to Android Virtual Device Manager (sdk\tools\android.bat avd)
Start your emulator but select 'Wipe user Data' when you're starting the emulator
Copy your certificate into /storage/sdcard using e.g. sdk/tools/monitor.bat
Set a screenlock pin here: Settings > Security > Screenlock > PIN
Now you can import the certificate properly via Settings > Security > Install from storage
Background: I also had the same problem you described and it seems to be an android emulator 4.4.2 bug which occurs when you don't import the certificate first thing i.e. when you don't follow the exact steps above.
This question is old, but still persists. Hopefully this will help some other developers who still need to add a certificate to their emulator.
Download the certificate using any of the various methods. I emailed myself the certificate from my computer, turned on the emulator, ran gmail and downloaded the certificate to the emulator through gmail.
Depending on your settings, you may be prompted to accept the certificate as soon as its downloaded. Others may be able to find the certificate file using a files program where simply executing it will install the certificate.
But for those who can't, here's the sure-fire method.
Run the Settings app
Security
Encryption & Credentials
Install a Certificate
choose Selected CA Certificate
Install anyway
tap on the downloaded certificate
You should get a Toast saying that the CA certificate was installed.
This is for an emulator running Android R. Good luck!
With your limited description, I'll try to help as much as I can.
Ensure your problematic AVD (4.4 I assume) has available storage space. Try best to ensure it is a clean AVD with nothing extra installed.
Place your cert in the root /sdcard/ and install at:
Settings -> Security -> Install from SD card
Avoid installation of certs with the same name but different formats.
Problem with *.p12 files (pkcs12):
at: Settings -> Security -> Install from SD card the *.p12 files are grayed out. When I download the file via webserver and try to open it, android say me "Can't open" Same with *.pem files.
I tried it with 4.4.2 and 4.4.4.
There is a script available at https://github.com/mitmproxy/mitmproxy/issues/204#issuecomment-32837093.
The app works fine in debug. But when I build it in release mode, and sign it, it will not install on any devices unless they are configured to allow apps from unknown sources i.e. the phone says "For security, your phone is set to block installation of applications not obtained from Android Market"
The app will not install from dropbox, or the gmail app.
It won't install on a Galaxy Nexus, a Samsung Galaxy S II, a Nexus One, amongst others.
As far as I can see the signing process works fine - there are no errors.
I've tried signing with a key from another app, and that fails too, when that key works fine for another app. This suggests the key is not the problem.
The APK is definitely a release build.
So what are the checks Android performs before it allows a signed, release app to be installed? How does it know it's not from a trusted source?
You will have to enable the devices to "allow non-market apps" to be installed else it will complain.
You will find this somewhere in Settings->Development.
I've had this problem before.
Try the steps listed here
Also, go to settings, then Applications. Theres a button to allow it at the top of that screen.
Find option Unknown Source and make it enable.
Some have this option in setting --> Application
Some have this option in setting --> Security
I am facing a strange problem. I created an apk of my application with unsigned key and tried to install it on my samsung galaxy pop, but i am not able to install it on my samsung galaxy pop. I enabled the option for installation of non market place app but i am getting unable to install message.
However when i am connecting phone with USB and clicking on run it is getting installed in the device.
is there anything wrong in my approach??
this is my sample apk file which i am trying to install http://www.mediafire.com/?aotxfupx7h7t568
Thanks
You must sign it
From Signing Your Applications
*The Android system requires that all installed applications be digitally signed with a certificate whose private key is held by the application's developer. The Android system uses the certificate as a means of identifying the author of an application and establishing trust relationships between applications. The certificate is not used to control which applications the user can install. The certificate does not need to be signed by a certificate authority: it is perfectly allowable, and typical, for Android applications to use self-signed certificates.
All applications must be signed. The system will not install an application that is not signed.
It couldn't be any clearer
If you are doing this from Eclipse and running the app on handset, I think android treats it differently, since you probably had USB debugging enabled and the handset is fooled into thinking it is debugging.
When you tried installing the app, because it is not signed the handset may be rejecting it.
You should be fine running and debugging like this, but when you create the final apk you will need it signed.