I am developing an app that works fine in debug mode running from eclipse. But when it is exported from eclipse unsigned and then signed on our server with our keystore, it can no longer access Internet. The app uses only SSL. We have a Godaddy ssl cert on the server.
The app uses Phonegap with following permissions:
<uses-permission android:name="android.permission.INTERNET">
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE">
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE">
The app works fine in iOS installed from App Store, using the same javascript code to access the services.
I can't find much information about what can be wrong here. I do know that I have had issues before with Godaddy ssl certs on the java platform. But since it works in eclipse debug mode, I can't see that as the reason.
Any ideas anyone?
Update:
Problem/Solution
The Eclipse signed debug apk was able to use a GoDaddy SSL certificate without the intermediate certificate installed on the server.
Related
I have followed instructions on how to add fiddler certificate on android emulator, using both nox and memu emulators, as well as my android phone running marshmallow, I set the WiFi proxy to point to my PC over the local network, when I open a website using a web browser, things work fine, I receive the warning, I choose to proceed and the connection is successfully tunneled and decrypted using fiddler.
But, when I try to use other apps, connections fail! I see the tunnel connections, and then connection fails. My bet is, it's due to the invalid HTTPS certificate, so my question is, is there a way for me to install fiddler to the trusted authorities so connecting to it will go through without the warning? So I can finally debug HTTPS traffic from and to those apps.
I found similar questions here on SO, but none of them were exactly the same as mine, nor did they have the right answers, so I'm not sure if this question does in fact qualify as a duplicate.
Thanks
On modern Android devices using apps developed for target API Level 24 (Android 7) or higher sniffing traffic is not that simple anymore. The target API level of an app is defined it's AndroidManifest.xml file in the entry <uses-sdk android:targetSdkVersion="??"/>.
The main problem is that if you install the Fiddler root CA certificate in Android it is marked as user certificate (not system certificate). And unless explicitly configured in an app those user certificates are not trusted.
One of those rare apps that respect user CA certificates is Chrome. So using Chrome for testing if the proxy and the installed root CA certificate works is a bad idea, as it may only work in Chrome but not for apps.
Note that some apps further use certificate pinning (leaf or root CA pinning). Therefore even if the Fiddler root CA certificate is installed as system certificate the app won't trust this certificate as it fails on the certificate pinning.
Certificate pinning is also a web site feature, hence some sites save a certificate hash in the web browser cache that pins the site to a certain certificate. In such a case clearing the browser cache is usually removing those pinning data.
Rooted devices
If your device is rooted you can try to install the Fiddler root CA certificate as system certificate. The Mitmproxy documentation contains a how-to for manually installing the mitmproxy certificate.
If you have rooted the phone using Magisk, there is a Magisk module that seems to be able to install user certificates automatically as system certificates: https://github.com/NVISO-BE/MagiskTrustUserCerts
Alternatively you can install Magisk + Edxposed + TrustMeAlready Xposed module. This allows to disable certificate checking system wide - WARNING: this eliminates the security of SSL/TLS against active attacks, for all apps on the phone. Therefore only do this on a device you use just for hacking!
Also possible is installing and run Frida-Server on the device and hook into the app you are interested to modify the SSL/TLS certificate checking at run-time. AFAIK the Frida based framework Objection has some scripts to do so.
Non-rooted device
On a non-rooted device there is only the option to modify the application before you install it onto the device. Note that some apps will detect that they have been modified and will refuse to work.
To let the app trust user certificates you have to modify network_security_config.xml (see e.g. here) included in the app. You can use apktool to decompile/recompile the app. Don't forget to re-sign the recompiled/repackaged app e.g. using apksigner from Android SDK.
There are some tools available that automate the decompiling , modification and signing like apk-mitm.
There is also the possibility to modify an app by including the Frida gadget for Android into the app. This would allow to use Frida for this specific app on a non-rooted device.
I have an app in the markets that was working fine until my root certificate was renewed. Now I don't know how to procede... the certificate was in AWS and if I run the app in my computer, works fine, but in my phone is not working. I sniffed the traffic and the error that I got is "User certificate is untrusted"
Someone had the same problem?
Best!
Try to add Exception Domains to Info.plist
iOS doesn't allow untrusted certificates if you don't add them to Info.plist.
We are having API access issue for Android Signed build.
We are building app through Ionic Framework.
Below are some observations -
-iOS and Android Un-Signed builds are working properly.
-In Browser API's are accessible.
-But for Android Signed build, API's are not accessible in Mobile Network.
Add this: android:usesCleartextTraffic="true" under application tag of your manifest and this should work.
It should look like this:
<application
...
android:usesCleartextTraffic="true"
...>
usesCleartextTraffic which is responsible for http calls is true by default but starting with Android 9 (Pie) Clear Text Traffic is disabled now.
After long research finally i resolved this.
Reason behind https requests fails only while releasing Android build APK is an issue with the SSL certificate when making https requests.if the intermediate certificates are not set up correctly then it would cause the request to fail on Android in release mode.
Below is the issue i found after checking https url in SSL URL checker.
The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate
I'm using a package called coroinium cloud and I have recently set up ssl. Coronium cloud is a server package for apps developed with corona SDK. It uses nginx as the server for the package. There is a control panel that you connect to through your browser which loads fine and firefox says the certificate is trusted. However it does not work on the app but instead shows an error saying the certificate is not trusted (CertPathValidatorException on android). I used a tool by digicert to check the ssl configuration:
screenshot of digicert test
There were instructions by the creator of coronium cloud on how to set it up of which all I followed. I got the certificate from startssl.com and used there Nginx certificate. Does anyone know how I can fix this issue as it is holding me back from developing other features as I now can't use any part of my app till this is fixed.
Thank you in advance to anyone who can help me
You should use the certificate chain provided by your Certificate Authority, in the same time than your certificate, and follow the nxinx documentation:
https://nginx.org/en/docs/http/configuring_https_servers.html#chains
cat www.example.com.crt bundle.crt > www.example.com.chained.crt
And in your server block:
ssl_certificate www.example.com.chained.crt;
I have made practice application of react-native in android, I had build it and test on my real device which I had connected to my development pc. But when I copy the build .apk file from project folder and distribute among different devices with bluetooth or usb , I can install it on different devices but it shows problem of host address. Does it need development pc ip address always for running the application or can I bind some specific ip and run in all the devices? Please someone suggest me to deploy the general .apk file of my application. Thanks, in advance.
When you build the apk in debug mode, then react-native communicates with your local server in your system. Only when you generate release build then react-native will run without any local server dependency.
So, If you need to distribute apk then you need to create a release apk. This link will help you to generate release apk.
It sounds like that the problem is not with your application, its a network connection problem.
Are your using your System (Desktop) IP address for connection? or please check whether the IP address is a valid IP address.
Along with that also check in your manifest file whether you've added below permissions :
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />