App packet capturing tips how to break network exceptions?

background

When you test App When , Want to Fiddler/Charles Wait for the tool to grab the bag and have a look https Requested data , Found most of App All prompt network exceptions / No data, etc . With “ Shell to find room ” For example ：

Fiddler The request seen in is like this ：

You may start looking for certificates ： Is it right? Fiddler/Charles Your certificate has not been imported into your mobile phone ？ Configure again and again , Start comparing again web End browser https No problem . By this time, you may have begun to doubt life .

So, is it a certificate issue ？

you 're right , It's about certificates , But it's a little different from the certificate you think , No Fiddler Problems with built-in certificates , It is App Problems with built-in certificates – SSL Pinning Mechanism .

What is? SSL Pinning?

First , stay https In the process of establishing connection , When the client sends a connection request to the server , The server will send its own certificate ( Including public key 、 The certificate is valid for 、 Server information, etc ) To the client , If the client is a browser , Use the built-in CA Certificate to verify whether the server certificate is consistent .

So why Fiddler Can catch the browser https What about the request ？ The reason is that users can freely import third-party certificates into browser built-in CA Certificate set .

With that in mind , Let's go back to App client ,App The default is trust system （Android or IOS） Installed by the third party of the user CA Of certificate set , Somewhat App Can pass Fiddler The reason I caught the bag was because ： We can the users of the system CA Add... To the certificate set Fiddler Certificate . such App You can trust that the certificate is secure , Feel free to send the request .

With the update of the system now ,Google or Apple Realize that safety is becoming more and more important , So we introduced SSL-Pinning technology ： Developers preset certificate related information to App And then pack it , In this way https In the process of communication App The local certificate can be compared with the certificate returned by the server , If inconsistencies are found , Then it may be due to man in the middle attack （ such as Fiddler/Charles Caught tools ）,App The client can terminate https link .

In the new version of the system rules , The application only trusts the default preset CA certificate , If it is a certificate installed by a third party （ such as Fiddler Installed ） Will not trust ：

Solution

The above is some theoretical content , How to break through SSL Pinning The mechanism can catch App Of https Where's the request package ？

Scheme 1 ： Use Android7.0 The following systems

It has been verified in Android 7.0 Or more systems have enabled restrictions on third-party certificates . But in Android 7.0 The following can still be Fiddler/Charles The certificate is installed on the user's CA Focus on grabbing https request .

Option two ： take Fiddler/Chales The default certificate installed to the system CA In the certificate area

Such an approach presupposes the need for root jurisdiction , But now many new mobile phones get root Difficult access , So this method is not recommended .

Option three ： Decompile APK, modify AndroidManifest.xml file

• There are some APK Added shell , It needs to be shelled first

• Re pass apktool And other tools to decompile

• In source code res/xml Catalog add network_security_config.xml file , The contents are as follows ：

modify AndroidManifest.xml file , stay application Add... To the label ：

android:networkSecurityConfig=“@xml/network_security_config”

This scheme is more suitable for children's boots who are skilled in decompilation

Option four ：VitualXposed frame +JustTrustMe modular （ recommend ）

VitualXposed Introduce ：

Use Xposed with a simple APP, without needing to root, unlock the bootloader, or flash a system image

Simply speaking ,VitualXposed It can be used without equipment root Under the circumstances , modify App act . The working principle of this application is similar to the application of split function , The application will be installed in a virtual independent environment , There will be an activated... Inside Xposed Tools .

JustTrustMe Introduce ：

An xposed module that disables SSL certificate checking for the purposes of auditing an app with cert pinning

JustTrustMe yes Github The above open source project , yes xposed One of the modules in , Used to prohibit SSL Certificate validation .

Operation process ：

• take VitualXposed Install into the real machine , Click the Apply button -> Add application , To be debugged App、JustTrustMe.apk Installation

• open Xposed, Select the upper left navigation bar -> modular , Check JustTrustMe
  
• restart VitualXposed application , Open the shell and find a room , adopt Fiddler Grab the bag , You can see App Request OK ,https Please catch

Learning resource sharing

Finally, thank everyone who reads my article carefully , Watching the rise and attention of fans all the way , Reciprocity is always necessary , Although it's not very valuable , If you can use it, you can take it

These materials , For those who want to learn by themselves 【 software test 】 For our friends, it should be the most comprehensive and complete war preparation warehouse , This warehouse also accompanied me through the most difficult journey , I hope it can help you ！ Everything should be done as soon as possible , Especially in the technology industry , We must improve our technical skills . I hope that's helpful ……. Join my communication group below for free ！