前言
不知不觉安卓现在已经到Android11了,然而搞了这久app逆向的我,最近才发现安卓系统在7.0之后对所有应用证书信任做了调整,导致7.0系统以上版本,无论使用Charles还是Fiddler安装证书之后都无法正常抓取https请求,经过一系列的查询资料后才发现,原来在Android7.0之后所有应用默认不在信任用户自己安装的证书,而只信任系统预设的证书。这里简单记录下解决方案....以备不时之需。
盘他
目前网络上的解决方法大致有两种:
1.在app清单文件的下增加:android:networkSecurityConfig="@xml/network_security_config"
然后在资源目录xml添加文件 network_security_config.xml内容如下
<network-security-config>
<base-config cleartextTrafficPermitted="true">
<trust-anchors>
<certificates src="system" overridePins="true" />
<certificates src="user" overridePins="true" />
</trust-anchors>
</base-config>
</network-security-config>
此方法需要反编译Apk然后添加此设置,当然如果自己开发的话,那就没必要了可以直接使用。
2.添加Charles或Fiddler证书到系统信任证书(需要手机有Root环境)
这里我以Charles为例,首先导出证书到本地。
我们看下Android下预设证书存储格式为
证书路径:
/system/etc/security/cacerts
文件命名格式(如果计算出来的hash值已经存在则编号依次+1):
<证书Hash值>.编号
计算证书hash值
//.cer格式证书
openssl x509 -inform DER -subject_hash_old -in <证书文件.cer>
//.pem格式证书
openssl x509 -inform PEM -subject_hash_old -in <证书文件.pem>
//cer格式
openssl x509 -inform DER -text -in xxx.cer > 5d7ca55f.0
//pem格式
openssl x509 -inform PEM -text -in xxx.pem > 5d7ca55f.0
最后编辑一下输出的文件,把 -----BEGIN CERTIFICATE----- 到最后的这部分移动到开头。结果如下
-----BEGIN CERTIFICATE-----
MIIFZjCCBE6gAwIBAgIGAXIbb9OfMA0GCSqGSIb3DQEBCwUAMIG3MUgwRgYDVQQD
DD9DaGFybGVzIFByb3h5IENBICgxNiDkupTmnIggMjAyMCwgTWFvY2h1YW5nZGVN
YWNCb29rLVByby5sb2NhbCkxJTAjBgNVBAsMHGh0dHBzOi8vY2hhcmxlc3Byb3h5
LmNvbS9zc2wxETAPBgNVBAoMCFhLNzIgTHRkMREwDwYDVQQHDAhBdWNrbGFuZDER
MA8GA1UECAwIQXVja2xhbmQxCzAJBgNVBAYTAk5aMB4XDTAwMDEwMTAwMDAwMFoX
DTQ5MDcxMzAzMDMzM1owgbcxSDBGBgNVBAMMP0NoYXJsZXMgUHJveHkgQ0EgKDE2
IOS6lOaciCAyMDIwLCBNYW9jaHVhbmdkZU1hY0Jvb2stUHJvLmxvY2FsKTElMCMG
A1UECwwcaHR0cHM6Ly9jaGFybGVzcHJveHkuY29tL3NzbDERMA8GA1UECgwIWEs3
MiBMdGQxETAPBgNVBAcMCEF1Y2tsYW5kMREwDwYDVQQIDAhBdWNrbGFuZDELMAkG
A1UEBhMCTlowggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaSm6lUpfA
NMfZ/v6j2WbKm+08XvsF/baDtVq6Av+uzo1VgwXvNc1CpiU4msxc864iehWyF+N8
iKdC92ztLzJe/XGS0BSt6PPHEV+HF5ZuuJN9JacL+e20fs22LDG06cYxj4mdXANd
naMeEWgJfQ4BLov770RXGqTh7wDGem0lblpd3DbaflV7VYL7C7LTc1VP5Og23guE
RrJH9Rz09uDEJgvTycETxqBlXUvS2rgm2BdgGyQsPhzwUq4TiaT72HRFEnSz19T7
F2Tc69+yUEQzmTbKF7+8jdynVjjou+0q/kn2dfsvmRIALCBKR9FhzHXEsyQCrLLG
Edh4Xh8obLNdAgMBAAGjggF0MIIBcDAPBgNVHRMBAf8EBTADAQH/MIIBLAYJYIZI
AYb4QgENBIIBHROCARlUaGlzIFJvb3QgY2VydGlmaWNhdGUgd2FzIGdlbmVyYXRl
ZCBieSBDaGFybGVzIFByb3h5IGZvciBTU0wgUHJveHlpbmcuIElmIHRoaXMgY2Vy
dGlmaWNhdGUgaXMgcGFydCBvZiBhIGNlcnRpZmljYXRlIGNoYWluLCB0aGlzIG1l
YW5zIHRoYXQgeW91J3JlIGJyb3dzaW5nIHRocm91Z2ggQ2hhcmxlcyBQcm94eSB3
aXRoIFNTTCBQcm94eWluZyBlbmFibGVkIGZvciB0aGlzIHdlYnNpdGUuIFBsZWFz
ZSBzZWUgaHR0cDovL2NoYXJsZXNwcm94eS5jb20vc3NsIGZvciBtb3JlIGluZm9y
bWF0aW9uLjAOBgNVHQ8BAf8EBAMCAgQwHQYDVR0OBBYEFEh0lMx9/VRux4kxBVgK
hvf1xmtBMA0GCSqGSIb3DQEBCwUAA4IBAQCQqK3ODA1/d1V1E0uqKGcQWS9IzULh
ldXRTZvoEaAjVPsbmZgFBTw09++Mt4h2XMZl3YbYP9nehh1L1h3HfjZE6Loid0c6
sttGJScsDamUUnDv3lcbyMF3tOa+x3JsKf4xsduw89tOsgEDbP5s6Sk4znvsptHQ
xo07EZeFmqpWGIyTc1vpFxRKyJS7Hs2MkXYEXpdgIJkwud907m6iRMQgopVRzDA4
W15od2DdI5BogHT3m5vJFS1eKwcIMOyqfSbVMbu2wYDnr7yGCoaq/K2+ZGK8LUrA
wvHjn4lRqj6v7afCY0imFiNsPixbRGs2ycvyXMQxNlo3i/1S9YzDsEaR
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1589598213023 (0x1721b6fd39f)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Charles Proxy CA (16 \xE4\xBA\x94\xE6\x9C\x88 2020, MaochuangdeMacBook-Pro.local), OU=https://charlesproxy.com/ssl, O=XK72 Ltd, L=Auckland, ST=Auckland, C=NZ
Validity
Not Before: Jan 1 00:00:00 2000 GMT
Not After : Jul 13 03:03:33 2049 GMT
Subject: CN=Charles Proxy CA (16 \xE4\xBA\x94\xE6\x9C\x88 2020, MaochuangdeMacBook-Pro.local), OU=https://charlesproxy.com/ssl, O=XK72 Ltd, L=Auckland, ST=Auckland, C=NZ
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:9a:4a:6e:a5:52:97:c0:34:c7:d9:fe:fe:a3:d9:
66:ca:9b:ed:3c:5e:fb:05:fd:b6:83:b5:5a:ba:02:
ff:ae:ce:8d:55:83:05:ef:35:cd:42:a6:25:38:9a:
cc:5c:f3:ae:22:7a:15:b2:17:e3:7c:88:a7:42:f7:
6c:ed:2f:32:5e:fd:71:92:d0:14:ad:e8:f3:c7:11:
5f:87:17:96:6e:b8:93:7d:25:a7:0b:f9:ed:b4:7e:
cd:b6:2c:31:b4:e9:c6:31:8f:89:9d:5c:03:5d:9d:
a3:1e:11:68:09:7d:0e:01:2e:8b:fb:ef:44:57:1a:
a4:e1:ef:00:c6:7a:6d:25:6e:5a:5d:dc:36:da:7e:
55:7b:55:82:fb:0b:b2:d3:73:55:4f:e4:e8:36:de:
0b:84:46:b2:47:f5:1c:f4:f6:e0:c4:26:0b:d3:c9:
c1:13:c6:a0:65:5d:4b:d2:da:b8:26:d8:17:60:1b:
24:2c:3e:1c:f0:52:ae:13:89:a4:fb:d8:74:45:12:
74:b3:d7:d4:fb:17:64:dc:eb:df:b2:50:44:33:99:
36:ca:17:bf:bc:8d:dc:a7:56:38:e8:bb:ed:2a:fe:
49:f6:75:fb:2f:99:12:00:2c:20:4a:47:d1:61:cc:
75:c4:b3:24:02:ac:b2:c6:11:d8:78:5e:1f:28:6c:
b3:5d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
Netscape Comment:
....This Root certificate was generated by Charles Proxy for SSL Proxying. If this certificate is part of a certificate chain, this means that you're browsing through Charles Proxy with SSL Proxying enabled for this website. Please see http://charlesproxy.com/ssl for more information.
X509v3 Key Usage: critical
Certificate Sign
X509v3 Subject Key Identifier:
48:74:94:CC:7D:FD:54:6E:C7:89:31:05:58:0A:86:F7:F5:C6:6B:41
Signature Algorithm: sha256WithRSAEncryption
90:a8:ad:ce:0c:0d:7f:77:55:75:13:4b:aa:28:67:10:59:2f:
48:cd:42:e1:95:d5:d1:4d:9b:e8:11:a0:23:54:fb:1b:99:98:
05:05:3c:34:f7:ef:8c:b7:88:76:5c:c6:65:dd:86:d8:3f:d9:
de:86:1d:4b:d6:1d:c7:7e:36:44:e8:ba:22:77:47:3a:b2:db:
46:25:27:2c:0d:a9:94:52:70:ef:de:57:1b:c8:c1:77:b4:e6:
be:c7:72:6c:29:fe:31:b1:db:b0:f3:db:4e:b2:01:03:6c:fe:
6c:e9:29:38:ce:7b:ec:a6:d1:d0:c6:8d:3b:11:97:85:9a:aa:
56:18:8c:93:73:5b:e9:17:14:4a:c8:94:bb:1e:cd:8c:91:76:
04:5e:97:60:20:99:30:b9:df:74:ee:6e:a2:44:c4:20:a2:95:
51:cc:30:38:5b:5e:68:77:60:dd:23:90:68:80:74:f7:9b:9b:
c9:15:2d:5e:2b:07:08:30:ec:aa:7d:26:d5:31:bb:b6:c1:80:
e7:af:bc:86:0a:86:aa:fc:ad:be:64:62:bc:2d:4a:c0:c2:f1:
e3:9f:89:51:aa:3e:af:ed:a7:c2:63:48:a6:16:23:6c:3e:2c:
5b:44:6b:36:c9:cb:f2:5c:c4:31:36:5a:37:8b:fd:52:f5:8c:
c3:b0:46:91
上传证书文件5d7ca55f.0到手机/system/etc/security/cacerts路径下。
执行:
1. adb push 5d7ca55f.0 /sdcard
2. adb shell
3. su
4. mount -o remount,rw /system
#mount -o rw,remount /system
5. cp /sdcard/5d7ca55f.0 /system/etc/security/cacerts/
6. chmod 644 /system/etc/security/cacerts/5d7ca55f.0
到此然后重启手机。就可以正常抓https数据包了。
也可以到手机 设置->安全->信任凭据 可以看见如下。
参考
http://www.chenhe.cc/p/314
https://blog.csdn.net/u010164190/article/details/89737241