3

I have an app on my Android phone I try to debug, but whenever I enable PcapDroid to send the TLS decrypted requests and responses to my PC, it won't allow any internet access in the app. I get no error messages in mitmproxy.

The only output is:

info: 192.168.xx.xxx:33396: client disconnect
info: 192.168.xx.xxx:43544: server disconnect xxx.xxx.xxx.xxx:443

and once in a while this is seen in the logs:

warn: 192.168.xx.xxx:43544: Client TLS handshake failed. The client may not trust the proxy's certificate for api.example.com (OpenSSL Error([('SSL routines', 'ssl3_read_bytes', 'sslv3 alert certificate unknown')]))

This is the only request that is reporting it's failed TLS handshake. I know this request is something unimportant, so I wonder why none of the other more important requests aren't reporting anything.

Other apps are sending data fine.

Why is this app not allowing any internet connection? I have patched it with apk-mitm, as I do with all my other apps, to allow for inspection.

riwejak558
  • 111
  • 2
  • 6
  • 1
    I'm not an Android expert but is it possible the app enforces certificate pinning in the code rather than in the network security configuration settings? – President James K. Polk Dec 07 '21 at 17:01
  • @PresidentJamesK.Polk That might be possible, however I'm no expert either, so no idea how to check that. – riwejak558 Dec 07 '21 at 17:24
  • On non-rooted recent Android devices it is not possible to install a custom root CA certificate regular apps trust (only web browser like Chrome accept it). – Robert Dec 07 '21 at 19:16
  • @Robert My phone is old and is using Android version 8.0.0. This app is one of two that is unable to accept my custom certificate. All my other apps are accepting it with no problems – riwejak558 Dec 07 '21 at 19:48
  • @riwejak558 Unfortunately Android 8 is not old enough. The first version where new apps do not trust user installed certificates is Android 7 https://stackoverflow.com/questions/62730978/some-androids-apps-wont-connect-through-fiddler – Robert Dec 07 '21 at 20:05
  • @Robert I am using apk-mitm which does something to how an app deals with certificates. I am pretty sure this program deals with the things introduced in Android 7, and is why most of my apps patched with this program accepts the certificate. – riwejak558 Dec 07 '21 at 20:20
  • 1
    @Robert You say that only on non-rooted devices it's not possible. Is is it possible to do on the official Android Studio Emulator, since you have root on these? – riwejak558 Dec 07 '21 at 20:29
  • I know that you can root the emulator images available via Android Studio Emulator, but I am not aware that they come pre-rooted. Only third party emulators like Genymotion come pre-rooted. But yes, if the app runs on an emulator and the emulator is rooted you can install mitmproxy cert as system root CA. Mitmproxy has a manual to do so https://docs.mitmproxy.org/stable/howto-install-system-trusted-ca-android/ – Robert Dec 07 '21 at 21:57
  • @Robert So if I use GenyMotion and add mitmproxy's global certificate, set a proxy to mitmproxy, I would be able to see their traffic in mitmproxy? – riwejak558 Dec 08 '21 at 18:51
  • If the app supports execution in x86 and allows execution in an emulator (some apps don't allow execution in an emulator). And of course the app should not use certificate pinning. Otherwise you should have to use e.g. Frida+Objection to bypass that restriction. – Robert Dec 08 '21 at 19:36
  • @Robert Thank you, I will look in to it tomorrow. – riwejak558 Dec 08 '21 at 19:59

1 Answers1

3

Many apps enforce certificate pinning: they come with an internal list of certificates that they trust, and they do not trust any other certificates (including certificates from the phone's certificate store). In this case, it is usually not possible to MITM their traffic with mitmproxy, because the app will reject the MITM certificate.

You have a few options:

  • Use --ignore-hosts or --allow-hosts to selectively ignore the host that the app is attempting to connect to. In this case, mitmproxy will directly pass through the connection without attempting to MITM it, and the connection will succeed. You can do this if you're not interested in those requests and just want the app to work.
  • Unpack the app, locate its internal certificate store, and modify it to add your MITM CA cert. This will vary by app; some have simple bks files that you can just edit, some may have the stores packed inside a native library or Java class.
  • Use a dynamic instrumentation tool like Frida to intercept the HTTPS communication or bypass certificate pinning. For example, I wrote this script to log HTTP(S) requests made using OkHttp3, and for instance this script can be used to bypass Java certificate pinning in many Android apps.
nneonneo
  • 171,345
  • 36
  • 312
  • 383