在Android设备上拦截应用https流量 [英] Intercepting app https traffic on Android device

问题描述

我想查看我应用程序中的https流量.

I'd like to view the https traffic from my app.

我在电脑上安装了提琴手，并将证书下载到设备上，可以从浏览器查看https流量.

I installed fiddler on my pc and downloaded the certificate to the device and can view https traffic from the browser.

但是当我尝试我的应用程序时-我得到javax.net.ssl.sslhandshakeexception java.secirity.cert.CertPathVelidatorException找不到证书路径的信任锚.

But when I try my app - I get javax.net.ssl.sslhandshakeexception java.secirity.cert.CertPathVelidatorException Trust anchor for certification path not found.

我相信小提琴手的设置是正确的，因为我可以从手机浏览器查看https流量.

I believe the fiddler setup is correct as I can view https traffic from my phone browser.

有帮助吗?

或其他相同的方法.

我从在桌面上运行Java应用程序知道-您可以为Java虚拟机指定代理ip + port-也许需要在设备上执行类似的操作.

I know from running java apps on the desktop - you can specify the proxy ip+port to the java vm - maybe something similar needs to be done on the device.

我能够为http通信设置模拟器-但https不起作用-我也在模拟器上安装了提琴手证书.使用Android 29.

I was able to set up the emulator for http traffic - but https doesn't work - I installed the fiddler cert on the emulator also. Using Android 29.

推荐答案

将证书安装到运行Android 6或更高版本的设备上的系统信任存储中，需要root权限才能在所有应用程序中正常工作.

Installing the certificate into the system trust store on the device that is running Android 6 or newer requires root permissions to work properly in all apps.

没有超级用户权限，您只能将证书安装到用户"信任存储中，而将 targetSdkVersion 设置为23或更高版本的应用程序会将其忽略.

Without root permissions you can only install the certificate into the "user" trust store, which is ignored by apps that have a targetSdkVersion set to 23 and higher.

幸运的是，在您的情况下，我们正在谈论的是您自己的应用程序，该应用程序打开了一个在没有root权限的情况下拦截Fiddler流量的门:

Fortunately in your case we are talking about your own app which opens up a door to intercept traffic with Fiddler without root permissions:

在您的应用中，您必须提供一个网络安全配置文件.

In your app you have to provide an Network Security configuration file.

在该文件中，您有两个选择:

In that file you have two options:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <base-config>
        <trust-anchors>
            <certificates src="system" />
            <certificates src="user" />
        </trust-anchors>
    </base-config>
</network-security-config>

包括您的Fiddler根CA证书

您可以在应用程序中包含Fiddler根CA证书，并定义在调试版本中应信任该证书(将Fiddler根CA证书文件添加为原始资源 debug_fiddler_root ):

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <debug-overrides>
        <trust-anchors>
            <certificates src="@raw/debug_fiddler_root"/>
        </trust-anchors>
    </debug-overrides>
</network-security-config>

这篇关于在Android设备上拦截应用https流量的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！