I am creating a small demo app to implement ssl certificate pinning in android webview. I have generated the certificates of the host.
Can anyone suggest me how to pin the certificates in the application code.
I have searched many links but I am still stuck.
WebViews are tricky, not least because there is no perfect way to implement pinning in them except with Android N using Network Security Configuration.
The best you can do is override shouldInterceptRequest and implement the network calls yourself using one of the methods described in Android Security: SSL Pinning, however this only intercepts GET requests so if your WebViews use POST requests then you are out of luck. Android-SSL-Pinning-WebViews shows an example of doing this.
Related
I know this question is very similar to this one: Using Charles proxy to decrypt googleapis.com,
but it is very old and I think google changed some stuff about their APIs.
I'm using Charles to inspect HTTP requests from an android app (which is not mine).
This app uses SSL pinning, so I bypassed it with this tutorial:
https://lucy-janewalsh.com/blog/2019/10/29/unpinning-an-app
This works perfectly for every domain, except firestore.googleapis.com.
Charles gives me this error:
No request was made. Possibly the SSL certificate was rejected.
Do you know if this is possible to inspect requests made to this address?
Thanks
That tutorial only disables SSLPinning by the conscrypt library and only if the app that uses this library has not been obfuscated. If the app is obfuscated the class can not be found and the pinning will remain active. Also keep in mind that conscrypt is based on my experience not very often used by Android apps. Other libraries that provide SSLPinning like OKHttp are way more often used (e.g. covered by this Frida snippet.
In your case everything depends on the app you try to intercept the traffic of. Decompile it e.g. using Jadx or your favorite app decompiler and try to identify the used library/method for SSL pinning. If the app is obfuscated (class names changed) then most likly you have to write your own frida code to disable pinning (or at least adapt the class names form an existing frida code snippet that performs unpinning for the SSL-library used in your app).
I have an android application which using SSL in Api calls. I found some solutions to reveal transactions such as SSL Unpinning:
https://github.com/ac-pm/SSLUnpinning_Xposed
and
https://www.roe.ch/SSLsplit
and
https://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/DecryptHTTPS
I need a secure method to keep my application safe.
I think this is a critical problem for our applications not users!
I will start with a very very short introduction on OS certificate pinning for Android. Starting with version 4.2 of Android system/OS level SSL/TLS certificate pinning was introduced (see also this URL for more info.). The list of pinned certificates using this mechanism is located at: "/data/misc/keychain/pins" and contains by default around 40 entries for Google services like mail.google.com, youtube.com, etc. I would very much like to have my own certificate pinned by having it added to this list. However, modifying this list requires an Android permission (android.permission.WRITE_SECURE_SETTINGS) that's only available to system apps.
Doe anyone know if there might by some kind procedure in place at Google to submit a request to be added to this list (i.e. /data/misc/keychain/pins)?
WebViews are tricky, not least because there is no perfect way to implement pinning in them except with Android N using Network Security Configuration.
The best you can do is override shouldInterceptRequest and implement the network calls yourself using one of the methods described in Android Security: SSL Pinning, however this only intercepts GET requests so if your WebViews use POST requests then you are out of luck. Android-SSL-Pinning-WebViews shows an example of doing this.
My issue is how to connect between client and worklight server via https.
I've use self-signed ssl (without CA) and i want somehow to trust all certificates by pass the SSLHandshakeError.
Environments:
Worklight 6.2
Android platform
It is possible to use "single-tone" HttpClientManager.getInstance().getHttpClient() like this and some how add some custom sslFactory or something like this...
PS.
I've done everything written in the guide wl 6.2 ssl
I've tried with customCordovaWebViewClient and to override sslErrorHandler but this doesn't work for me
I know that there is a variant to create self-certificates with CA bit and install it manually on devices but that is not possible for me...
That is currently not supported as far as I know. You might need to open a feature request.
I would also suggest considering just using HTTP, as using HTTPS like this is not really safer than regular HTTP. The only benefit is that the traffic gets encrypted, but anyone who wants to spoof the server can easily do so, rendering such encryption useless, and worse because it gives the illusion of security. But I assume you already knew this.
I am developing phoneGap application which is integrated with web service for requesting data.
Communication used to happen through HTTP but I want to take it to HTTPS communication.
I integrated SSL for my tomcat server and I can send HTTPS request from RESTClient using browser.
But my phoneGap mobile application is not able to communicate for HTTPS request.
Any extra setting required for it?
I am targeting android and iOS for now.
Any help will be appreciated.
We had to face the same issue last week in our own project.
In Android we didn't have any problem with it, we observed that Android trusted all the certificates (are you having issues with Android?), however in iOS we had some trouble.
The first thing you can do is to install the trusted certificate in your iOS... but it will be problematic for basic users.
The solution we decided to take was to allow access to all SSL for our application, in order to do that you have to add the next code at the end of your AppDelegate.m file:
#implementation NSURLRequest(DataController)
+ (BOOL)allowsAnyHTTPSCertificateForHost:(NSString *)host
{
return YES;
}
#end