[App packet capture prompts network abnormality, how to solve it?

What is SSL Pinning?

First, during the process of establishing an https connection, when the browser sends a connection request to the server, the server will send its own certificate (including certificate validity period, issuing authority, etc.) to the browser. The browser first searches for it in the local root certificate area. Is there the root certificate of the CA organization for this server certificate? If you continue, the next step will be to verify the server-side certificate, if no warning pops up. After passing the verification, after a series of information exchanges between the server and the client, the two parties finally established communication.

So why can Fiddler capture the browser’s https request?

The reason is that Fiddler disguises itself as an https server in front of the browser, and users can freely import Fiddler’s disguised certificate into the browser’s built-in root certificate. At this time, Fiddler acts as a middleman and pretends to be a browser in front of the real server.

728x3021151x477

After understanding the above point, let’s go back to the App client. By default, the App trusts the CA certificate installed by a third party installed by the system (Android or IOS) user. The reason why some Apps can capture the package through Fiddler is because: we can Add Fiddler’s certificate to the system’s user CA certificate collection. In this way, the App can trust that the certificate is safe and can send requests with confidence.

474 x 226

But now as the system is updated, Google or Apple realizes that security is becoming more and more important, so they introduce SSL-Pinning technology:
The developer pre-sets the certificate-related information into the App before packaging it, so that during the https communication process, the App locally can verify the validity with the certificate returned by the server. If any inconsistency is found, it may be due to a man-in-the-middle attack (such as Fiddler/ Charles packet capture tool), the App client can terminate https links. In the rules of the new version of Android system (V7.0):

The application will only trust the system’s default preset CA certificate and the application’s own built-in certificate. If it is a certificate installed by a third party (such as one installed by Fiddler), it will not be trusted.

480 x 285

Solution

The above are all theoretical contents. How can we break through the SSL Pinning mechanism to capture the https request packet of the App?

Option 1: Use a system below Android 7.0

It has been verified that restrictions on third-party certificates are enabled on Android 7.0 or above systems. However, below Android 7.0, you can still install the Fiddler/Charles certificate in the user’s CA to centrally capture https requests.

Option 2: Install the Fiddler/Charles certificate into the system’s default preset CA certificate area

This method requires root permissions, but it is difficult to obtain root permissions for many new mobile phones, so this method is not recommended.

Option 3: Decompile the APK and modify the AndroidManifest.xml file

• Some APKs are shelled and need to be unpacked first.
• Then decompile through tools such as apktool
• Add the network_security_config.xml file in the res/xml directory of the source code with the following content:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <base-config cleartextTrafficPermitted="true">
        <trust-anchors>
          <!-- Trust system preset CA certificate -->
          <certificates src="system" />
          <!-- Trust the CA certificate added by the user, the certificates installed by Charles and Fiddler packet capture tools fall into this category -->
          <certificates src="user" />
        </trust-anchors>
    </base-config>
</network-security-config>

• Modify the AndroidManifest.xml file and add android:networkSecurityConfig=”@xml/network_security_config” in the application tag

<?xml version="1.0" encoding="utf-8"?>
<manifest...>
    <application android:networkSecurityConfig="@xml/network_security_config"
                    ... >
        ...
    </application>
</manifest>

This solution is more suitable for children who are more proficient in decompilation.

Option 4: VitualXposed framework + JustTrustMe module (recommended)

Introduction to VitualXposed:

Use Xposed with a simple APP, without needing to root, unlock the bootloader, or flash a system image

Official website download address: https://vxposed.com/
Simply put, VitualXposed can modify the behavior of the App without needing to root the device. The working principle of this application is similar to the application clone function. It will install the application into a virtual independent environment, and it will have an activated Xposed tool inside.

JustTrustMe introduction:

An xposed module that disables SSL certificate checking for the purposes of auditing an app with cert pinning

JustTrustMe is an open source project on Github. It is a module in xposed that is used to disable SSL certificate verification.
https://github.com/Fuzion24/JustTrustMe

Operation process:

• Install VitualXposed into the real machine, click the Apply button -> Add application, and install the App to be debugged and JustTrustMe.apk

  

  516 x 417

• Open Xposed, select the navigation bar in the upper left corner -> Modules, and check JustTrustMe

  

  455 x 207

• Restart the VitualXposed application, open Shell to find a house, and capture the packet through Fiddler. You can see that the App request is normal and the https request can be captured

  

  669 x 206