Some androids apps won’t connect through fiddler

by

On modern Android devices using apps developed for target API Level 24 (Android 7) or higher sniffing traffic is not that simple anymore. The target API level of an app is defined it’s AndroidManifest.xml file in the entry <uses-sdk android:targetSdkVersion="??"/>.

The main problem is that if you install the Fiddler root CA certificate in Android it is marked as user certificate (not system certificate). And unless explicitly configured in an app those user certificates are not trusted.

One of those rare apps that respect user CA certificates is Chrome. So using Chrome for testing if the proxy and the installed root CA certificate works is a bad idea, as it may only work in Chrome but not for apps.

Note that some apps further use certificate pinning (leaf or root CA pinning). Therefore even if the Fiddler root CA certificate is installed as system certificate the app won’t trust this certificate as it fails on the certificate pinning.

Certificate pinning is also a web site feature, hence some sites save a certificate hash in the web browser cache that pins the site to a certain certificate. In such a case clearing the browser cache is usually removing those pinning data.

Rooted devices

If your device is rooted you can try to install the Fiddler root CA certificate as system certificate. The Mitmproxy documentation contains a how-to for manually installing the mitmproxy certificate.

If you have rooted the phone using Magisk, there is a Magisk module that seems to be able to install user certificates automatically as system certificates: https://github.com/NVISO-BE/MagiskTrustUserCerts

Alternatively you can install Magisk + Edxposed + TrustMeAlready Xposed module. This allows to disable certificate checking system wide – WARNING: this eliminates the security of SSL/TLS against active attacks, for all apps on the phone. Therefore only do this on a device you use just for hacking!

Also possible is installing and run Frida-Server on the device and hook into the app you are interested to modify the SSL/TLS certificate checking at run-time. AFAIK the Frida based framework Objection has some scripts to do so.

Non-rooted device

On a non-rooted device there is only the option to modify the application before you install it onto the device. Note that some apps will detect that they have been modified and will refuse to work.

To let the app trust user certificates you have to modify network_security_config.xml (see e.g. here) included in the app. You can use apktool to decompile/recompile the app. Don’t forget to re-sign the recompiled/repackaged app e.g. using apksigner from Android SDK.

There are some tools available that automate the decompiling , modification and signing like apk-mitm.

There is also the possibility to modify an app by including the Frida gadget for Android into the app. This would allow to use Frida for this specific app on a non-rooted device.

More Related Contents:

  1. Android 8: Cleartext HTTP traffic not permitted
  2. accepting HTTPS connections with self-signed certificates
  3. Run/install/debug Android applications over Wi-Fi?
  4. Self-signed SSL acceptance on Android
  5. How can I debug javascript on Android?
  6. How to enable TLS 1.2 support in an Android application (running on Android 4.1 JB)
  7. Android WebView not loading an HTTPS URL
  8. Is there a real solution to debug cordova apps [closed]
  9. Android app crashes when launched in debug mode
  10. How to Debug Android application line by line using Eclipse?
  11. Safely fixing: javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
  12. What’s wrong with debugging in Eclipse on Android? [duplicate]
  13. Does Android Volley support SSL?
  14. How to detect system information like os or device type
  15. Android: How to track down the origin of a InflateException?
  16. Making a HTTPS request using Android Volley
  17. Not Able To Debug App In Android Studio
  18. Android device is not connected to USB for debugging (Android studio)
  19. Debugging a service
  20. How can I specify location of debug keystore for Android ant debug builds?
  21. What would happen if Android app is released with debuggable on?
  22. Android: Making Https Request
  23. Debugging Android NDK C/C++ code in Eclipse – breakpoints are not hit
  24. Flutter: Execution failed for task ‘:app:compileDebugKotlin’
  25. Android Debugging with Logcat and Emulator. Is it possible?
  26. Debugging using a virtual machine like VMWare/VirtualBox?
  27. How to view SQL database in Eclipse Debug mode for android
  28. javax.net.ssl.sslpeerunverifiedexception no peer certificate
  29. How can I set SignalR in Android Studio to ignore SSL issues for delvelopement
  30. How can I make Android Volley perform HTTPS request, using a certificate self-signed by an Unknown CA?

Leave a Comment