Charles Proxy for Mobile 应用程序使用 SSL 固定 [英] Charles Proxy for Mobile apps that use SSL Pinning

问题描述

Charles Proxy 网站评论:

Charles Proxy website comments that:

请注意，某些应用会实施 SSL 证书锁定，这意味着它们会专门验证根证书.因为应用程序本身正在验证根证书，所以它不会接受 Charles 的证书并且会导致连接失败.如果您已成功安装 Charles 根 SSL 证书，并且可以在 Safari 中使用 SSL 代理浏览 SSL 网站，但应用失败，则可能是 SSL 固定.

Note that some apps implement SSL certificate pinning which means they specifically validate the root certificate. Because the app is itself verifying the root certificate it will not accept Charles's certificate and will fail the connection. If you have successfully installed the Charles root SSL certificate and can browse SSL websites using SSL Proxying in Safari, but an app fails, then SSL Pinning is probably the issue.

可以肯定的是，即使移动应用程序使用 SSL 证书锁定，是否也可以使用像 Charles Proxy(或其他监视器)这样的 HTTP 监视器?

Just to be certain, is it possible to use an HTTP monitor like Charles Proxy (or another monitor) even though a mobile app uses SSL certificate pinning?

推荐答案

正如 Steffen 所说，您可能需要修补应用程序以禁用证书固定.不过，大多数移动应用程序不使用它 :) 因此，您只需要启用带有自签名证书的 SSL 连接.要允许使用 Android 应用程序执行以下操作:

As Steffen said you might need to patch the app to disable certificate pinning. Most mobile apps don't use it though :) Thus you just need to enable SSL connections with self-signed certificate. To allow that with Android application do following:

• 从 https://ibotpeaches.github.io/Apktool/
• 解压apk文件(根据apktool 2.4.1):java -jar apktool.jar d app.apk
• 通过将 android:networkSecurityConfig="@xml/network_security_config" 属性添加到 application 元素来修改 AndroidManifest.xml.
• 使用以下内容创建文件/res/xml/network_security_config.xml:

• Download apktool from https://ibotpeaches.github.io/Apktool/
• Unpack apk file (according to apktool 2.4.1): java -jar apktool.jar d app.apk
• Modify AndroidManifest.xml by adding android:networkSecurityConfig="@xml/network_security_config" attribute to application element.
• Create file /res/xml/network_security_config.xml with following content:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <base-config>
        <trust-anchors>
            <certificates src="system" />
            <certificates src="user" />
        </trust-anchors>
    </base-config>
</network-security-config>

• 构建补丁apk:java -jar apktool.jar b app -o app_patched.apk
• 生成密钥以签署 apk:keytool -genkey -alias keys -keystore keys
• 签署apk文件:jarsigner -verbose -keystore keys app_patched.apk keys
• 如有必要，将 apk 转换为 jar 以供进一步分析:d2j-dex2jar.sh app.apk

更多信息:https://developer.android.com/training/articles/安全配置

这篇关于Charles Proxy for Mobile 应用程序使用 SSL 固定的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！