stackoom
  简体   繁体   中英

mitmproxy Client and Server disconnects whenever a specific app tries to use internet connection

 原文  2021-12-07 16:04:00       python/ android/ python-3.x/ ssl-certificate/ mitmproxy

Question

I have an app on my Android phone I try to debug, but whenever I enable PcapDroid to send the TLS decrypted requests and responses to my PC, it won't allow any internet access in the app. I get no error messages in mitmproxy.

The only output is:

info: 192.168.xx.xxx:33396: client disconnect
info: 192.168.xx.xxx:43544: server disconnect xxx.xxx.xxx.xxx:443

and once in a while this is seen in the logs:

warn: 192.168.xx.xxx:43544: Client TLS handshake failed. The client may not trust the proxy's certificate for api.example.com (OpenSSL Error([('SSL routines', 'ssl3_read_bytes', 'sslv3 alert certificate unknown')]))

This is the only request that is reporting it's failed TLS handshake. I know this request is something unimportant, so I wonder why none of the other more important requests aren't reporting anything.

Other apps are sending data fine.

Why is this app not allowing any internet connection? I have patched it with apk-mitm, as I do with all my other apps, to allow for inspection.

1 answers

solution1
 0  2022-01-25 22:05:20

Many apps enforce certificate pinning : they come with an internal list of certificates that they trust, and they do not trust any other certificates (including certificates from the phone's certificate store). In this case, it is usually not possible to MITM their traffic with mitmproxy, because the app will reject the MITM certificate.

You have a few options:

  • Use --ignore-hosts or --allow-hosts to selectively ignore the host that the app is attempting to connect to. In this case, mitmproxy will directly pass through the connection without attempting to MITM it, and the connection will succeed. You can do this if you're not interested in those requests and just want the app to work.
  • Unpack the app, locate its internal certificate store, and modify it to add your MITM CA cert. This will vary by app; some have simple bks files that you can just edit, some may have the stores packed inside a native library or Java class.
  • Use a dynamic instrumentation tool like Frida to intercept the HTTPS communication or bypass certificate pinning. For example, I wrote this script to log HTTP(S) requests made using OkHttp3, and for instance this script can be used to bypass Java certificate pinning in many Android apps.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How do I drop a connection if client disconnects from server? Client disconnects when another client connects to the server Sending packets with scapy ONLY on a wired connection, disconnects internet on my PC python socket server - listen even if client disconnects Server prints endless newlines when client disconnects Getting unhandled error and connection get lost when a client tries to communicate with chat server in twisted Django: Cleaning up redis connection after client disconnects from stream How to use a Python 3 socket client/server setup over the internet (not locally)? Mitmproxy upstream server Why does my server print endless \n when a client disconnects?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM