So I am running a few automated tests on an android emulator. I have two environments, my development PC running the android emulator, and our testing server running the android emulator. When I open the emulator and the browser app within the emulator, I can navigate to secure websites no problem. (For instance, google mail). However, in my testing server environment, I am seeing certificate errors on sites whose certificates should well be trusted. Is there an emulator configuration option for certificates that I am missing? Does the emulator need to connect to a service to verify the certificates and does not have access?
Ensure that the date and time are set properly on the emulator. An incorrect time setting may well invalidate the certificate because it's not within validity window.
Related
I installed nox and burp. But the problem is that I can not track the traffic of Android applications. I installed the certificate and made all the settings. The risk acceptance message is also displayed when using the browser. And when I confirm it, the traffic is intercepted. But not in other programs. After turning on the suite. I get an internet error.
I have followed instructions on how to add fiddler certificate on android emulator, using both nox and memu emulators, as well as my android phone running marshmallow, I set the WiFi proxy to point to my PC over the local network, when I open a website using a web browser, things work fine, I receive the warning, I choose to proceed and the connection is successfully tunneled and decrypted using fiddler.
But, when I try to use other apps, connections fail! I see the tunnel connections, and then connection fails. My bet is, it's due to the invalid HTTPS certificate, so my question is, is there a way for me to install fiddler to the trusted authorities so connecting to it will go through without the warning? So I can finally debug HTTPS traffic from and to those apps.
I found similar questions here on SO, but none of them were exactly the same as mine, nor did they have the right answers, so I'm not sure if this question does in fact qualify as a duplicate.
Thanks
On modern Android devices using apps developed for target API Level 24 (Android 7) or higher sniffing traffic is not that simple anymore. The target API level of an app is defined it's AndroidManifest.xml file in the entry <uses-sdk android:targetSdkVersion="??"/>.
The main problem is that if you install the Fiddler root CA certificate in Android it is marked as user certificate (not system certificate). And unless explicitly configured in an app those user certificates are not trusted.
One of those rare apps that respect user CA certificates is Chrome. So using Chrome for testing if the proxy and the installed root CA certificate works is a bad idea, as it may only work in Chrome but not for apps.
Note that some apps further use certificate pinning (leaf or root CA pinning). Therefore even if the Fiddler root CA certificate is installed as system certificate the app won't trust this certificate as it fails on the certificate pinning.
Certificate pinning is also a web site feature, hence some sites save a certificate hash in the web browser cache that pins the site to a certain certificate. In such a case clearing the browser cache is usually removing those pinning data.
Rooted devices
If your device is rooted you can try to install the Fiddler root CA certificate as system certificate. The Mitmproxy documentation contains a how-to for manually installing the mitmproxy certificate.
If you have rooted the phone using Magisk, there is a Magisk module that seems to be able to install user certificates automatically as system certificates: https://github.com/NVISO-BE/MagiskTrustUserCerts
Alternatively you can install Magisk + Edxposed + TrustMeAlready Xposed module. This allows to disable certificate checking system wide - WARNING: this eliminates the security of SSL/TLS against active attacks, for all apps on the phone. Therefore only do this on a device you use just for hacking!
Also possible is installing and run Frida-Server on the device and hook into the app you are interested to modify the SSL/TLS certificate checking at run-time. AFAIK the Frida based framework Objection has some scripts to do so.
Non-rooted device
On a non-rooted device there is only the option to modify the application before you install it onto the device. Note that some apps will detect that they have been modified and will refuse to work.
To let the app trust user certificates you have to modify network_security_config.xml (see e.g. here) included in the app. You can use apktool to decompile/recompile the app. Don't forget to re-sign the recompiled/repackaged app e.g. using apksigner from Android SDK.
There are some tools available that automate the decompiling , modification and signing like apk-mitm.
There is also the possibility to modify an app by including the Frida gadget for Android into the app. This would allow to use Frida for this specific app on a non-rooted device.
I have followed instructions on how to add fiddler certificate on android emulator, using both nox and memu emulators, as well as my android phone running marshmallow, I set the WiFi proxy to point to my PC over the local network, when I open a website using a web browser, things work fine, I receive the warning, I choose to proceed and the connection is successfully tunneled and decrypted using fiddler.
But, when I try to use other apps, connections fail! I see the tunnel connections, and then connection fails. My bet is, it's due to the invalid HTTPS certificate, so my question is, is there a way for me to install fiddler to the trusted authorities so connecting to it will go through without the warning? So I can finally debug HTTPS traffic from and to those apps.
I found similar questions here on SO, but none of them were exactly the same as mine, nor did they have the right answers, so I'm not sure if this question does in fact qualify as a duplicate.
Thanks
On modern Android devices using apps developed for target API Level 24 (Android 7) or higher sniffing traffic is not that simple anymore. The target API level of an app is defined it's AndroidManifest.xml file in the entry <uses-sdk android:targetSdkVersion="??"/>.
The main problem is that if you install the Fiddler root CA certificate in Android it is marked as user certificate (not system certificate). And unless explicitly configured in an app those user certificates are not trusted.
One of those rare apps that respect user CA certificates is Chrome. So using Chrome for testing if the proxy and the installed root CA certificate works is a bad idea, as it may only work in Chrome but not for apps.
Note that some apps further use certificate pinning (leaf or root CA pinning). Therefore even if the Fiddler root CA certificate is installed as system certificate the app won't trust this certificate as it fails on the certificate pinning.
Certificate pinning is also a web site feature, hence some sites save a certificate hash in the web browser cache that pins the site to a certain certificate. In such a case clearing the browser cache is usually removing those pinning data.
Rooted devices
If your device is rooted you can try to install the Fiddler root CA certificate as system certificate. The Mitmproxy documentation contains a how-to for manually installing the mitmproxy certificate.
If you have rooted the phone using Magisk, there is a Magisk module that seems to be able to install user certificates automatically as system certificates: https://github.com/NVISO-BE/MagiskTrustUserCerts
Alternatively you can install Magisk + Edxposed + TrustMeAlready Xposed module. This allows to disable certificate checking system wide - WARNING: this eliminates the security of SSL/TLS against active attacks, for all apps on the phone. Therefore only do this on a device you use just for hacking!
Also possible is installing and run Frida-Server on the device and hook into the app you are interested to modify the SSL/TLS certificate checking at run-time. AFAIK the Frida based framework Objection has some scripts to do so.
Non-rooted device
On a non-rooted device there is only the option to modify the application before you install it onto the device. Note that some apps will detect that they have been modified and will refuse to work.
To let the app trust user certificates you have to modify network_security_config.xml (see e.g. here) included in the app. You can use apktool to decompile/recompile the app. Don't forget to re-sign the recompiled/repackaged app e.g. using apksigner from Android SDK.
There are some tools available that automate the decompiling , modification and signing like apk-mitm.
There is also the possibility to modify an app by including the Frida gadget for Android into the app. This would allow to use Frida for this specific app on a non-rooted device.
I'm trying to setup a local dev environment for a PWA I'm working on.
I have installed mkcert on my Mac and am able to host a https://localhost version on my computer.
Now I'd like to open the page on my Android phone. On the mkcert github it says:
Mobile devices
For the certificates to be trusted on mobile devices,
you will have to install the root CA. It's the rootCA.pem file in the
folder printed by mkcert -CAROOT.
On iOS, you can either use AirDrop, email the CA to yourself, or serve
it from an HTTP server. After installing it, you must enable full
trust in it. Note: earlier versions of mkcert ran into an iOS bug, if
you can't see the root in "Certificate Trust Settings" you might have
to update mkcert and regenerate the root.
For Android, you will have to install the CA and then enable user
roots in the development build of your app. See this StackOverflow
answer.
https://github.com/FiloSottile/mkcert
I installed the rootCA.pem on my phone. The part about "enabling user roots" doesn't apply, since this is not an app.
But when I open the page on my phone using https://[my-local-network-ip]:1234 I get a warning, that the certificate can't be trusted.
How can I trust the certificate so I can locally test the PWA on my phone?
I know you've probably moved on from this question, as it's almost a year on. However, I would like to share how I was able to test my PWA locally in a secure context.
Not making any assumptions about what framework / packaging / build system you're using:
Generate a certificate & key using mkcert. If you are hosting your PWA locally & want to access it over your local IP address i.e. 192.168.1.x:3000 you also need to tell mkcert to generate a certificate that covers that IP address:
mkcert localhost 192.168.1.17
// The certificate is at "./localhost+1.pem" and the key at "./localhost+1-key.pem" ✅
Important note: most routers dynamically assign local IP addresses, so it's worthwhile assigning a static IP.
Install your RootCA from mkcert onto your iOS or Android device. Follow the instructions in the mkcert docs
Serve your generated certificates with your web server of choice. I use Create React App. You can see my answer about PWAs in secure context here
I agree with your goal - running a local TLS based setup can be useful in terms of productivity and early troubleshooting.
Your problem is DNS based and you need to access the TLS secured URL via the host name.
The only way you'll get DNS to match up on the Android side is to use an HTTP proxy, while running either an emulator or a device connected via USB.
In a nutshell I would do this:
Issue your cert to a more real world domain name such as mycompany.com
Add this domain name to DNS on your Mac book
Install a free proxy such as proxyman on the Mac
Configure the Android emulator or device to use the proxy (you will also need to trust the proxy's cert on Android and the Mac)
Then browse to https://mycompany.com from Android
Full details are available in my write up
I am facing a strange problem. I created an apk of my application with unsigned key and tried to install it on my samsung galaxy pop, but i am not able to install it on my samsung galaxy pop. I enabled the option for installation of non market place app but i am getting unable to install message.
However when i am connecting phone with USB and clicking on run it is getting installed in the device.
is there anything wrong in my approach??
this is my sample apk file which i am trying to install http://www.mediafire.com/?aotxfupx7h7t568
Thanks
You must sign it
From Signing Your Applications
*The Android system requires that all installed applications be digitally signed with a certificate whose private key is held by the application's developer. The Android system uses the certificate as a means of identifying the author of an application and establishing trust relationships between applications. The certificate is not used to control which applications the user can install. The certificate does not need to be signed by a certificate authority: it is perfectly allowable, and typical, for Android applications to use self-signed certificates.
All applications must be signed. The system will not install an application that is not signed.
It couldn't be any clearer
If you are doing this from Eclipse and running the app on handset, I think android treats it differently, since you probably had USB debugging enabled and the handset is fooled into thinking it is debugging.
When you tried installing the app, because it is not signed the handset may be rejecting it.
You should be fine running and debugging like this, but when you create the final apk you will need it signed.