How to get charles proxy work with Android 7 nougat?

android ssl android-7.0-nougat
mbonnin picture mbonnin · Aug 29, 2016 · Viewed 48.5k times · Source

Android 7 introduced some changes to the way certificates are handled (http://android-developers.blogspot.com/2016/07/changes-to-trusted-certificate.html) and somehow I cannot make my Charles proxy work any more.

My network_security_config.xml:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <base-config>
        <trust-anchors>
            <certificates src="system" />
        </trust-anchors>
    </base-config>
    <debug-overrides>
        <trust-anchors>
            <certificates src="user" />
        </trust-anchors>
    </debug-overrides>
</network-security-config>

I'm running in debug mode. But no matter what, I get javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found..

Needless to say, I did install a pfx certificate from Settings -> Security -> Install from storage. The certificate shows in User Credentials but not in Trusted credentials -> User. On my lollipop device, the certificates are listed there.

I'm using okhttp3 as HTTP library.

Any idea what I am doing wrong ?

Answer

Alexander Skvortsov picture Alexander Skvortsov · Aug 30, 2016

The solution is do not use .p12, just navigate with Chrome (with configured proxy on wifi) to http://charlesproxy.com/getssl and install downloaded .pem file.

I had exactly the same problem on my Nexus 5X running Android 7.0. There was previously exported .p12 from Charles 3.11.5 (Help->SSL Proxying->Export Charles Root certificate and Private key). When I tried to install .p12 from phone (Settings->Security->Install from storage) it appears only under "User credentials" and never at "Trusted credentials", and of course SSL with Charles proxy did not work.

The total "how-to" for Android 7.0 would be like that:

  1. Configure WiFi + proxy (how Charles requires it). Connect it.
  2. On device, navigate with Chrome to http://charlesproxy.com/getssl, accept request for download .pem, then press "open", it launches "Certificate installer" app. Use it to install the certificate as "VPN and apps".
  3. Put the attribute android:networkSecurityConfig="@xml/network_security_config" to <application> at Manifest.xml
  4. Create res/xml/network_security_config.xml with content from the first post (it is totally correct).
  5. Launch Charles and app and have fun.

P.S. Check date/time on the device. It should be correct.

Related questions

SSLHandshakeException: Handshake failed on Android N/7.0

I'm working on an app for which the (power)users have to set up their own server (i.e. nginx) to run the backend application. The corresponding domain needs to be configured in the app so it can connect. I've …

Read More
list certificate stored in user credentials

In Android 7 Nougat, user installed certificate goes to "User credentials" instead of "Trusted credentials"(which consists of system credential & user credential). I used to access "Trusted credentials" by: KeyStore keystore = KeyStore.getInstance("AndroidCAStore"); through the above code I can …

Read More
How to install trusted CA certificate on Android device?

I have created my own CA certificate and now I want to install it on my Android Froyo device (HTC Desire Z), so that the device trusts my certificate. Android stores CA certificates in its Java keystore in /system/etc/…

Read More