stackoom
  简体   繁体   中英

How to decrypt SSL traffic in android app with java?

 原文  2020-11-14 09:18:32       java/ android/ ssl/ https/ vpn

Question

I want to monitor all the traffic going through app or browser for that purpose i've used ToyShark VPN . It's working well for HTTP traffic but for HTTPS i can't get the complete URL as it is encrypted. So my question is how can i decrypt these URLs? I've tried installing SSL Certificate from DigiCertificate and used that key in my.network_security_config.xml like this

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>

    <!-- Official Android N API -->
    <!--https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html-->
    <domain-config>
        <domain>baltimore-cybertrust-root.chain-demos.digicert.com</domain>
        <trust-anchors>
            <certificates src="user" />
            <certificates src="system" />
        </trust-anchors>
        <pin-set>
            <!-- Pin for: currency-converter-demo.pdm.approov.io -->
            <pin digest="SHA-256">Fq9XqfZ2sKsSYJWqXrre8iqzERnWRKyVzUuT2/Pyaus=</pin>

            <!-- Backup Pin for: currency-converter-demo.pdm.approov.io -->
            <pin digest="SHA-256">47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=</pin>
        </pin-set>

        <!-- TrustKit Android API -->
        <!-- enforce pinning validation -->
        <trustkit-config enforcePinning="true" disableDefaultReportUri="true">
            <!-- Add a reporting URL for pin validation reports -->
            <report-uri>https://report.pdm.approov.io/pinning-violation/report</report-uri>
        </trustkit-config>
    </domain-config>

</network-security-config>

Now i need to make some code changes for decryption or what else is required? Apps like WireShark or Fiddler also decrypt what method or API do they use there must be some way to do the same in client side.

1 answers

solution1
 0  2020-12-01 08:46:40

The trick is to run the HTTPS traffic through a TLS Inspection proxy (like Fiddler, mitmproxy, PolarProxy or SSLsplit), from which you will be able to get the decrypted traffic. To do this you'll need to configure the app/browser/phone to trust the root CA certificate of your TLS inspection proxy.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Decrypt client-side SSL traffic in Wireshark generated by Java HttpsURLConnection How to decrypt service to service SSL traffic using wireshark? Decrypt string in java which in encrypted in android app How to encrypt in Java and decrypt in Android and iOS How to Encrypt And decrypt UTF-8 in JAVA or Android? how to decrypt a large file in java / android Encrypt with Node.js Crypto module and decrypt with Java (in Android app) Java Web Service - Android App HTTPS/SSL can SSL encrypt and decrypt with one key in java Unable to decrypt String in android App
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM