Reputation: 359
Charles Proxy for Mobile apps that use SSL Pinning
Charles Proxy website comments that:
Note that some apps implement SSL certificate pinning which means they specifically validate the root certificate. Because the app is itself verifying the root certificate it will not accept Charles's certificate and will fail the connection. If you have successfully installed the Charles root SSL certificate and can browse SSL websites using SSL Proxying in Safari, but an app fails, then SSL Pinning is probably the issue.
Just to be certain, is it possible to use an HTTP monitor like Charles Proxy (or another monitor) even though a mobile app uses SSL certificate pinning?
Upvotes: 17
Views: 18232
Answers (2)
Reputation: 30145
As Steffen said you might need to patch the app to disable certificate pinning. Most mobile apps don't use it though :) Thus you just need to enable SSL connections with self-signed certificate. To allow that with Android application do following. First Download apktool. Then unpack APK file (according to apktool 2.4.1):
java -jar apktool.jar d app.apk
Modify AndroidManifest.xml by adding this attribute to application element:
android:networkSecurityConfig="@xml/network_security_config"
Create file res/xml/network_security_config.xml with following content:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config>
<trust-anchors>
<certificates src="system" />
<certificates src="user" />
</trust-anchors>
</base-config>
</network-security-config>
Generate keys to sign APK:
keytool -genkey -alias keys -keystore keys -keyalg DSA
Build patched APK:
java -jar apktool.jar b app -o app_patched.apk --use-aapt2
Sign APK file:
jarsigner -verbose -keystore keys app_patched.apk keys
If necessary convert APK to JAR for further analysis: d2j-dex2jar.sh app.apk.
More information: Network security configuration.
Upvotes: 13
Reputation: 123601
Certificate pinning means that the application explicitly wants to get the original certificate. If you do have the original certificate and the associated private key (which usually means that the you control the server the application is using) then it is possible to be a man in the middle (i.e. HTTP monitor) even for applications using certificate pinning.
Of course your HTTP monitoring application must support specifying a fixed certificate. It looks to me like Charles Proxy does not support this. But mitmproxy supports providing a fixed certificate for specific domains.
If you don't have access to the expected certificate and the matching key then you cannot give the expected certificate to the application. The only hope is then to somehow disable the pinning in the application itself by somehow hacking the code. Use your favorite search engine and search for "bypass pinning android" or similar to get a variety of non-trivial ways how one can try to make the application believe that it got the expected certificate.
Upvotes: 7
Related Questions
- Error on charles proxy when trying to intercept iOS requests however charles proxy certificate is already configured and trusted
- Why https request fails on Charles Proxy if SSL proxying is turned on
- Charles Proxy blocking SSL traffic on Android
- Charles works on browser, but not on application - Android
- Charles proxy doesn't work even after installing the root certificate on iphone device
- Charles SSL Proxy works for chrome but not for the apps
- Unable to use SSL Proxy in Charles 4.0.2 on a remote device with iOS 10.3 beta 2 version. Any workaround available?
- Reading iOS app requests via ssl proxy
- change the certificate Charles Proxy uses