android - Android emulator is not able to trust Charles proxy certificate

问题描述

I'm following this tutorial to monitor the https traffic on an Android version 7 emulator.

One thing I found strange is that the certificate I download from chls.pro/ssl is different from the certificate I encountered when visiting a website through Charles proxy.

Here's the certificate I got from chls.pro/ssl

This certificate can be viewed from Setting -> Security -> Trusted credentials -> USER tab.

And here's the certificate I found when visiting any websites though Charles proxy:

As you can see from the pictures, their fingerprints are different.

This makes my Android emulator not able to trust the certificate when visiting a website through Charles proxy.

Why are the certificates different?

How can I view the https traffic on the Android emulator?

I'm using the latest Charles proxy, which is version 4.5.6.

============================= Edit ==================================

The security warning is caused by the browser on the emulator.

I originally used "Browser" version 7.1.2 to visit a website.

After I replace it with Chrome, the security warning no longer appears. And I'm able to view the https traffic between Chrome and the website.

But I still can't view the https traffic between the Android app and the server.

Here's the error message:

And here's my network_security_config.xml

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <base-config>
        <trust-anchors> 
            <!-- Trust user added CAs -->
            <certificates src="user" overridePins="true" />
        </trust-anchors> 
    </base-config>
</network-security-config>

============================= Edit ==================================

The apk file of the Android app is downloaded from google play.

Here's what I've done with the apk file

1. Get the apk file with Apk Extractor.

2. Use apktool d ${APK_FILE}.apk to extract the file.

3. Modify its network_security_config.xml and AndroidManifest.xml

4. Run apktool b ${APK_FILE} to restore the extracted files back to an apk file.

5. Run apksigner sign -ks my-key.keystore ${APK_FILE}/dist/${APK_FILE}.apk to sign the apk file.

6. Put the apk file to the Android emulator and install it.

I'm not sure if the above steps would cause the app not able to trust Charles certificate.

This is the original network_security_config.xml before I modify it.

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <base-config cleartextTrafficPermitted="true" />
    <domain-config cleartextTrafficPermitted="false">
        <domain includeSubdomains="true">appapi.appname.com</domain>
    </domain-config>
</network-security-config>

标签： androidsslssl-certificatecharles-proxyman-in-the-middle