android - Android emulator is not able to trust Charles proxy certificate
问题描述
I'm following this tutorial to monitor the https traffic on an Android version 7 emulator.
One thing I found strange is that the certificate I download from chls.pro/ssl
is different from the certificate I encountered when visiting a website through Charles proxy.
Here's the certificate I got from chls.pro/ssl
This certificate can be viewed from Setting -> Security -> Trusted credentials -> USER tab.
And here's the certificate I found when visiting any websites though Charles proxy:
As you can see from the pictures, their fingerprints are different.
This makes my Android emulator not able to trust the certificate when visiting a website through Charles proxy.
Why are the certificates different?
How can I view the https traffic on the Android emulator?
I'm using the latest Charles proxy, which is version 4.5.6.
============================= Edit ==================================
The security warning is caused by the browser on the emulator.
I originally used "Browser" version 7.1.2 to visit a website.
After I replace it with Chrome, the security warning no longer appears. And I'm able to view the https traffic between Chrome and the website.
But I still can't view the https traffic between the Android app and the server.
Here's the error message:
And here's my network_security_config.xml
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config>
<trust-anchors>
<!-- Trust user added CAs -->
<certificates src="user" overridePins="true" />
</trust-anchors>
</base-config>
</network-security-config>
============================= Edit ==================================
The apk file of the Android app is downloaded from google play.
Here's what I've done with the apk file
Get the apk file with Apk Extractor.
Use
apktool d ${APK_FILE}.apk
to extract the file.Modify its
network_security_config.xml
andAndroidManifest.xml
Run
apktool b ${APK_FILE}
to restore the extracted files back to an apk file.Run
apksigner sign -ks my-key.keystore ${APK_FILE}/dist/${APK_FILE}.apk
to sign the apk file.Put the apk file to the Android emulator and install it.
I'm not sure if the above steps would cause the app not able to trust Charles certificate.
This is the original network_security_config.xml
before I modify it.
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config cleartextTrafficPermitted="true" />
<domain-config cleartextTrafficPermitted="false">
<domain includeSubdomains="true">appapi.appname.com</domain>
</domain-config>
</network-security-config>
解决方案
为什么证书不一样?
显示的第一个证书是 Charles 的“证书颁发机构”(CA) 证书。它是自签名的(请注意“颁发者”详细信息与证书详细信息如何相同),并且不适用于特定域。
第二个证书是网站证书,由 Charles 的 CA 证书颁发并签名,其主题为单个特定域(未显示),可用于验证与该特定域的连接。
证书信任的工作方式是您信任一组 CA 证书,并且每当您收到要验证的证书时,您都会查看谁颁发了该证书,并根据您拥有的 CA 来查看您是否信任它们(在某些情况下)情况下,信任链中有几个步骤,因此您一直往上走,直到找到您信任的证书,或者您到达根目录并放弃)。
那有意义吗?在实践中,Charles 预先生成了一个您需要信任的 CA,然后它会根据需要为每个需要一个的单独域生成新证书并使用其 CA 对其进行签名,然后您应该信任这些证书,因为您信任 Charles。
如何在 Android 模拟器上查看 https 流量?
显示的证书不是您问题的原因,因此很难提供更多详细信息。查尔斯需要一些手动配置。你能添加更多关于你所做的事情以及你看到的错误的信息吗?
如果您不是特别喜欢 Charles,HTTP Toolkit作为替代方法可能会有所帮助。这是我一直在研究的一个开源工具,因为 Charles 像这样设置会很痛苦。它做的所有事情都是一样的,但是证书设置是完全自动化的,所以你不会遇到这个问题。
推荐阅读
- javascript - React Native - 如何有效地在视图之间切换?
- python - 寻找更好的方法来让会计年度脱离python中的时间戳
- class - Java - 在不使它们成为静态的情况下访问类的其他方法的最简单方法是什么?
- javascript - 使用 ngx-smart-modal 将参数从 html 传递到组件
- scala - Scala 外部属性,例如 Config-server
- ios - swift 5 autoresizingMask 根本不工作
- cytoscape.js - 有没有办法在 cytoscape.js 中随时显示覆盖?
- visual-studio-code - 如何在 VS Code 中配置 terraform 代码的对齐和缩进?
- python - IndexError:列表索引超出范围
- java - Recursive Binary Search for Integers