Android 模拟器无法信任 Charles 代理证书
[英]Android emulator is not able to trust Charles proxy certificate
问题描述
I'm following this tutorial to monitor the https traffic on an Android version 7 emulator.
我正在按照本教程监控 Android 版本 7 仿真器上的 https 流量。
One thing I found strange is that the certificate I download from chls.pro/ssl is different from the certificate I encountered when visiting a website through Charles proxy.我发现奇怪的一件事是,我从chls.pro/ssl下载的证书与我通过 Charles 代理访问网站时遇到的证书不同。
Here's the certificate I got from chls.pro/ssl这是我从chls.pro/ssl获得的证书
This certificate can be viewed from Setting -> Security -> Trusted credentials -> USER tab.可以从设置 -> 安全 -> 受信任的凭据 -> 用户选项卡中查看此证书。
And here's the certificate I found when visiting any websites though Charles proxy:这是我通过 Charles 代理访问任何网站时发现的证书:
As you can see from the pictures, their fingerprints are different.从图片中可以看出,他们的指纹是不同的。
This makes my Android emulator not able to trust the certificate when visiting a website through Charles proxy.这使得我的 Android 模拟器在通过 Charles 代理访问网站时无法信任证书。
Why are the certificates different?为什么证书不一样?
How can I view the https traffic on the Android emulator?如何在 Android 仿真器上查看 https 流量?
I'm using the latest Charles proxy, which is version 4.5.6.我正在使用最新的 Charles 代理,它是 4.5.6 版。
============================= Edit ================================== =============================编辑==================== ===============
The security warning is caused by the browser on the emulator.安全警告是由模拟器上的浏览器引起的。
I originally used "Browser" version 7.1.2 to visit a website.我最初使用“浏览器”版本 7.1.2 来访问一个网站。
After I replace it with Chrome, the security warning no longer appears.在我用 Chrome 替换它后,安全警告不再出现。 And I'm able to view the https traffic between Chrome and the website.而且我可以查看 Chrome 和网站之间的 https 流量。
But I still can't view the https traffic between the Android app and the server.但我仍然无法查看 Android 应用程序和服务器之间的 https 流量。
Here's the error message:这是错误消息:
And here's my network_security_config.xml这是我的network_security_config.xml
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config>
<trust-anchors>
<!-- Trust user added CAs -->
<certificates src="user" overridePins="true" />
</trust-anchors>
</base-config>
</network-security-config>
============================= Edit ================================== =============================编辑==================== ===============
The apk file of the Android app is downloaded from google play. Android app的apk文件是从google play下载的。
Here's what I've done with the apk file这是我对apk文件所做的
Get the apk file with Apk Extractor .
使用Apk Extractor获取 apk 文件。Use
apktool d ${APK_FILE}.apkto extract the file.使用apktool d ${APK_FILE}.apk提取文件。Modify its
network_security_config.xmlandAndroidManifest.xml修改其network_security_config.xml和AndroidManifest.xmlRun
apktool b ${APK_FILE}to restore the extracted files back to an apk file.运行apktool b ${APK_FILE}将提取的文件恢复为 apk 文件。Run
apksigner sign -ks my-key.keystore ${APK_FILE}/dist/${APK_FILE}.apkto sign the apk file.运行apksigner sign -ks my-key.keystore ${APK_FILE}/dist/${APK_FILE}.apk对 apk 文件进行签名。Put the apk file to the Android emulator and install it.
将apk文件放到Android模拟器中并安装。
I'm not sure if the above steps would cause the app not able to trust Charles certificate.我不确定上述步骤是否会导致应用程序无法信任 Charles 证书。
This is the original network_security_config.xml before I modify it.这是我修改之前的原始network_security_config.xml 。
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config cleartextTrafficPermitted="true" />
<domain-config cleartextTrafficPermitted="false">
<domain includeSubdomains="true">appapi.appname.com</domain>
</domain-config>
</network-security-config>
1 个解决方案
解决方案1
0 2020-07-01 12:06:35
Why are the certificates different?
The first certificate shown there is Charles's 'certificate authority' (CA) certificate.显示的第一个证书是 Charles 的“证书颁发机构”(CA) 证书。 It's self-signed (note how the 'Issued By' details are the same as the certificate's details), and doesn't apply to a specific domain.它是自签名的(请注意“颁发者”详细信息与证书详细信息如何相同),并且不适用于特定域。
The second certificate is a certificate for a website, issued by & signed by Charles's CA certificate, with a single specific domain as its subject (not shown), and which can be used to verify a connection to that specific domain.第二个证书是网站的证书,由 Charles 的 CA 证书颁发并签名,以单个特定域作为其主题(未显示),可用于验证与该特定域的连接。
The way that certificate trust works is that you trust a set of CA certificates, and whenever you receive a certificate you want to verify, you look at who issued that certificate, and see if you trust them based on the CAs you have (in some cases there are a few steps in the chain of trust, so you walk up it until you either find a certificate you trust or you get to the root and give up).证书信任的工作方式是您信任一组 CA 证书,并且每当您收到要验证的证书时,您都会查看谁颁发了该证书,并根据您拥有的 CA(在某些情况下)查看您是否信任它们情况下,信任链中有几个步骤,因此您一直往上走,直到找到您信任的证书,或者您到达根目录并放弃)。
Does that make sense?那有意义吗? In practice, Charles has generated one CA up front, which you need to trust, and then it generates new certificates on demand for each individual domain that needs one and signs them with its CA, and then you should trust those because you trust Charles.在实践中,Charles 预先生成了一个您需要信任的 CA,然后它会根据需要为每个需要一个的单独域生成新证书并使用其 CA 对其进行签名,然后您应该信任这些证书,因为您信任 Charles。
How can I view the https traffic on the Android emulator?
The certificates shown aren't the cause of your problem, so it's hard to give any more details.显示的证书不是您问题的原因,因此很难提供更多详细信息。 There's some manual configuration required for Charles.查尔斯需要一些手动配置。 Can you add any more information about what you've done, and the errors you're seeing?你能添加更多关于你所做的事情以及你看到的错误的信息吗?
If you're not wedded to Charles specifically, HTTP Toolkit might be helpful as an alternative approach.如果您不是特别喜欢 Charles,那么 HTTP Toolkit作为替代方法可能会有所帮助。 It's an open-source tool I've been working on, because Charles can be painful to setup like this.这是我一直在研究的一个开源工具,因为 Charles 像这样设置会很痛苦。 It's does all the same things, but the certificate setup is totally automated so you won't hit this problem.它做的所有事情都是一样的,但是证书设置是完全自动化的,所以你不会遇到这个问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.