Best IT Recipes

How to make charles proxy work with nougat 7 android?

Android 7 has made some changes to the way certificates are handled ( http://android-developers.blogspot.com/2016/07/changes-to-trusted-certificate.html ), and somehow I can no longer work with my proxy server Charles.

My network_security_config.xml:

<?xml version="1.0" encoding="utf-8"?> <network-security-config> <base-config> <trust-anchors> <certificates src="system" /> </trust-anchors> </base-config> <debug-overrides> <trust-anchors> <certificates src="user" /> </trust-anchors> </debug-overrides> </network-security-config>

I am working in debug mode. But no matter what, I get javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. .

Needless to say, I installed the pfx certificate from Settings -> Security -> Install from storage . The certificate is displayed in User Credentials , but not in Trusted credentials -> User . On my device with a lollipop, certificates are listed here.

I am using okhttp3 as an HTTP library.

Any idea what I'm doing wrong?

+64
android android-7.0-nougat ssl
Aug 29 '16 at 21:06
source share
4 answers

Based on the comment troubleshooting topic for the OP, the answer is to install only the proxy CA certificate as trusted, not its cert + private key.

The problem was caused by two factors:

  • Installing not only CA MiTM proxy certificate, but also its private key (which allows VPN applications on the device to decrypt / MiTM network traffic from other applications). You do not need the MiTM proxy secret key on the device.

  • Android Nougat changes the behavior of the Settings -> Security -> Install from storage stream for files that contain a private key in addition to the certificate (s). This change in behavior exposes the above problem.

Prior to Nougat, the Settings -> Security -> Install from storage stream for files containing the private key in addition to certificates mistakenly installed certificates as reliable for server authentication (for example, HTTPS, TLS, which made your MiTM successful), in addition to the correct installation as client certificates used to authenticate this Android device to servers. In Nougat, the error has been fixed, and these certificates are no longer set as trusted for server authentication. This prevents client authentication credentials from affecting (security) connections to servers. In your scenario, this will prevent the success of your MiTM.

What complicates the situation is that Settings -> Security -> Install from storage does not explicitly provide the user with an indication of whether they install client authentication credentials (private key + certificate chain) or server authentication trust (CA certificate only - - no secret key needed). As a result, the Settings -> Security -> Install from storage stream guesses whether it deals with client / user proxy authentication or server authentication trust proxy, assuming that if the private key is specified, it should be the client / user ID. In your case, it was incorrectly assumed that you are setting the credentials for client / user authentication, and not a server authentication proxy.

P. S. With regard to network security configuration, you should probably configure your application to also trust "system" trust bindings in debug mode (debug-overrides section). Otherwise, the application debug builds will not work if the connections are not a MiTM'd proxy server whose CA certificate is installed as reliable on the Android device.

+19
Aug 30 '16 at 1:31 on
source share
— -

The solution does not use .p12 , just go using Chrome (with the proxy configured to Wi-Fi) at http://charlesproxy.com/getssl and install the downloaded .pem file .

I had the same problem on my Nexus 5X running Android 7.0. .P12 was previously exported from Charles 3.11.5 (Help-> SSL Proxying-> Export Charles Root certificate and Private key). When I tried to install .p12 from the phone (Settings-> Security-> Install from storage), it appears only in the "User credentials" section and never in the "Trusted credentials", and, of course, SSL with Charles proxy is not worked.

The general “hands-on” for Android 7.0 will be like this:

  • Set up WiFi + proxy (as Charles requires). Plug it in.
  • On the device, go from Chrome to http://charlesproxy.com/getssl , accept the request to download .pem, then click “open”, it launches the “Certificate installer.” Use it to install the certificate as “VPN and application”.
  • Put the android:networkSecurityConfig="@xml/network_security_config" attribute android:networkSecurityConfig="@xml/network_security_config" in the <application> in Manifest.xml
  • Create res / xml / network_security_config.xml with the content from the first message (this is absolutely correct).
  • Launch Charles and the app and have fun.

PS Check the date / time on the device. That should be right.

+78
Aug 30 '16 at 12:43
source share

I wrote a script that introduces apk with the necessary exceptions and allows Charles Proxy to be used with the application.

This is Github https://github.com/levyitay/AddSecurityExceptionAndroid

+17
Dec 03 '16 at 6:17
source share

I'm on Android 7.1.1, here, as I install on my device (OnePlus One) - without changing the manifest (I oriented API 21 for my application):

In Karl Proxy:

  • Help > SSL Proxying > Install Charles Root Certificate on a Mobile Device or Remote Browser . At this point, you will receive the IP proxy and port number , as well as a link to where you should download the SSL SSL proxy.

On your phone:

  1. Wifi Settings > Modify Network > Advanced Options . Set the proxy to Manual and enter the IP and port number that you received from Charles in the Proxy hostname and Proxy port respectively.

  2. (OPTIONAL) You may or may not be able to access the chls.pro/ssl link provided by Charles earlier. On my device, I was always informed that I did not have a network connection. I added charlesproxy.com to the Bypass proxy for field.

  3. In your browser, follow the link in step 3 and download any necessary certificate (if it does not work in Chrome, download the Dolphin browser). You can name your certificate with any name.

Back to Karl Proxy:

  1. You should receive an invitation to either Allow or Deny on your phone in order to use a proxy server if your default settings are requested for remote connections.

Now you can use Charles on Nougat 7.1.1.

0
Apr 28 '17 at 14:35
source share


More articles:


All Articles