4

I am using Charles for intercepting request and response from a long time,but When I tried google pixel targeting Android Oreo, It keep giving me hand-shake exception. I was aware their certain changes has been done in Naught about network security. Any sort of help will be appreciated.

2 Answers2

15

If you are facing issue using Charles on Device tar-getting above 7.0 in Android, follow these steps, as detailed in the Charles Proxy documentation

  1. Add following line 

    android:networkSecurityConfig="@xml/network_security_config">

    to your manifest file in Application Tag.

  2. Create a xml folder with a file named network_security_config and paste following code in it.

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <base-config>
        <trust-anchors>
            <certificates src="system" />
        </trust-anchors>
    </base-config>
    <debug-overrides>
        <trust-anchors>
            <certificates src="user" />
        </trust-anchors>
    </debug-overrides>
</network-security-config>

Note: Do not commit above to your branch if you have only single build flavours.

For People having different build flavours (debug/release/other) can use this for debug version and commit as well.

Punit Sharma
  • 2,951
  • 1
  • 20
  • 35
  • 1
    Why should this create a security issue? You're just allowing user certificates for debug builds which is totally fine during development. For release builds you're just allowing system certificates as per your security config. – ubuntudroid Jun 18 '18 at 15:17
  • 1
    @ubuntudroid You are totally correct when you have different flavours for build. But some time people forgot to remove this silly code on release builds as well. (My note was for them specifically :D) – Punit Sharma Jun 19 '18 at 16:23
0

The other answer is correct as well, but according to the documentation the base-config xml tag is not needed at all. While this is not explicitly mentioned, their example does not include that tag.

This is the code on the Documentation site for "Configure CAs for debugging":

res/xml/network_security_config.xml:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <debug-overrides>
        <trust-anchors>
            <certificates src="@raw/debug_cas"/>
        </trust-anchors>
    </debug-overrides>
</network-security-config>

Instead of specifying a specific certificate, we can just allow user-installed certs though, like in the other answer:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <debug-overrides>
        <trust-anchors>
            <certificates src="user" />
        </trust-anchors>
    </debug-overrides>
</network-security-config>
Carsten Hagemann
  • 957
  • 10
  • 23