Charles Proxy for Mobile apps that use SSL Pinning
Charles Proxy website comments that:
Note that some apps implement SSL certificate pinning which means they specifically validate the root certificate. Because the app is itself verifying the root certificate it will not accept Charles's certificate and will fail the connection. If you have successfully installed the Charles root SSL certificate and can browse SSL websites using SSL Proxying in Safari, but an app fails, then SSL Pinning is probably the issue.
Just to be certain, is it possible to use an HTTP monitor like Charles Proxy (or another monitor) even though a mobile app uses SSL certificate pinning?
Answer
As Steffen said you might need to patch the app to disable certificate pinning. Most mobile apps don't use it though :) Thus you just need to enable SSL connections with self-signed certificate. To allow that with Android application do following:
- Download apktool from https://ibotpeaches.github.io/Apktool/
- Unpack apk file (according to apktool 2.4.1):
java -jar apktool.jar d app.apk - Modify AndroidManifest.xml by adding
android:networkSecurityConfig="@xml/network_security_config"attribute toapplicationelement. - Create file /res/xml/network_security_config.xml with following content:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config>
<trust-anchors>
<certificates src="system" />
<certificates src="user" />
</trust-anchors>
</base-config>
</network-security-config>
- Build patched apk:
java -jar apktool.jar b app -o app_patched.apk - Generate keys to sign apk:
keytool -genkey -alias keys -keystore keys - Sign apk file:
jarsigner -verbose -keystore keys app_patched.apk keys - If necessary convert apk to jar for further analysis:
d2j-dex2jar.sh app.apk
More information: https://developer.android.com/training/articles/security-config