search

AdguardTeam / adguardcert

Magisk module that allows using AdGuard's HTTPS filtering for all apps
https://adguard.com/
MIT License
333 stars 21 forks source link

adguard cert does not work with work profile #43

Open terrytw opened 1 year ago

terrytw commented 1 year ago

Please answer the following questions for yourself before submitting an issue.

AdGuard version

4.1

Environment

- OS: Android 12
- Device: Xperia 5 II
- Firmware: Latest

Root access

What filters do you have enabled?

No response

What Stealth Mode options do you have enabled?

No response

Issue Details

The adguard cert seems to only move the last cert to system store.

This leaves a problem, if someone enables work profile, there will be 2 certs, either both in/data/misc/user/0/cacerts-added, or in /data/misc/user/0/cacerts-added and /data/misc/user/10/cacerts-added respectively and adguard only seems to move one of them to the system store.

P.S. If both of them are in /data/misc/user/0/cacerts-added, one of them will end with .1 instead of .0

Expected Behavior

Both regular user (0) and work profile user can have certificates in the system store.

Actual Behavior

For regular user(0) and work profile user, only one of them can have certificate in system store.

Screenshots

Screenshot 1:

Additional Information

No response

Versty commented 1 year ago

@terrytw Hi! Please check if the issue persists on the latest nightly version. We have made some tweaks to the certificates installation flow recently.

terrytw commented 1 year ago

Dear Diana,

Can you please confirm which verison of adguardcert module should I be using in combination with the lastest nightly Adguard Android? Should I use v2.0-beta4?

Versty commented 1 year ago

@terrytw Yes, please use this version

terrytw commented 1 year ago

@Versty Dear Diana,

I have tried the latest nightly and adguardcert 2.0 beta4, and the problem persists.

If it helps, you can have the dev try https://play.google.com/store/apps/details?id=com.oasisfeng.island&hl=en_US on your test devices to create work profile and see for yourself.

The issue is actually quite straight forward, basically:

  1. You can not install cert into work profile's user store, you can only install it in the default user's user store;
  2. All users share the same system store.
  3. adguardcert module only copies one cert into the system store.

I have no idea how the intermediate cert schematic works. I hope you guys can figure out a way to make it work. For now I manually move cert from user 0's user store to user 10's user store, and use a modified https://github.com/ngorskikh/adguardcert (cp instead of mv) to address the issue.

Versty commented 1 year ago

@terrytw At this point, certificates work in pair. If one of them is in the system store, the second one must be in the user store for correct HTTPS filtering.

adguardcert module only copies one cert into the system store.

Therefore, this behaviour is intended.

terrytw commented 1 year ago

@Versty Yes, I know it is intended, which creates a legitimate problem: https filtering does not work in work profile.

Versty commented 1 year ago

@terrytw We have discussed this issue with developers and transferred it to the appropriate repository.

terrytw commented 1 year ago

@Versty Dear Diana, any update? I saw that you assigned someone then removed the assignment later. Not asking any ETA, just want to know whether this is still being worked on.

GodlikeRU commented 11 months ago

This is still a problem but I found a workaround. You need root.

  1. Using root file manager go to /data/misc/user/0/cacerts-added - this folder contains two adguard certificates installed on your main profile
  2. Copy these two into /data/misc/user/999/cacerts-added - this folder is for work profile certs
  3. Also copy certs to /system/etc/security/certs - this is system wide cert store
  4. Reboot
  5. After rebooting there will be notification that new certificates were installed for work profile
  6. Adguard cert will now work properly on work profile allowing system wide https filtering in auto proxy root mode. It also works properly with VPN at same time
terrytw commented 11 months ago

Yes I have figured it out as well, thank you for sharing anyway. Problem is that after Android 11, even with root permission you cannot write to system partition. I have modified movecert module myself to achieve this. It is just kinda disappointing that the devs just ignored this.

GodlikeRU commented 11 months ago

@terrytw please share the modified module. It may help people with same problem. and I agree, it's disappointing we still don't have fix from Adguard team. Work profile is getting more and more popular and this will affect more and more people. On Android 10 the above method worked.

terrytw commented 11 months ago

I was going to but it is rather cumbersome. Oh well here it goes movecert-1.9-new.zip You will need to modify post-fs-data.sh because work profile user ID can be any number, for you it is 999 for me it is 10. Also since you cannot install cert to work profile directly, you will need to install it in main profile and move it from /data/misc/user/0/cacerts-added/ to /data/misc/user/10(or whatever you work profile user ID is)/cacerts-added/

GodlikeRU commented 11 months ago

There's also another problem that needs looking into by the devs. Adguard from main profile does not detect apps in the work profile, therefore excluding apps on the work profile from protection is impossible. Most of us uses work profile to sandbox dangerous intrusive apps like Facebook or Instagram and these works with default settings, but this may be a big problem in the future.

While using default VPN connection way maybe two Adguards can work together, but I am using automatic proxy mode with Root, so real 3rd party VPN can work with Adguard too.

Lhn94 commented 10 months ago

I was going to but it is rather cumbersome. Oh well here it goes movecert-1.9-new.zip You will need to modify post-fs-data.sh because work profile user ID can be any number, for you it is 999 for me it is 10. Also since you cannot install cert to work profile directly, you will need to install it in main profile and move it from /data/misc/user/0/cacerts-added/ to /data/misc/user/10(or whatever you work profile user ID is)/cacerts-added/

Thanks for the module. I've so I've tried this and got the cert to successfully copied over. After reboot, there was also a notification saying a new system cert was installed. BUT, how do I enable HTTPS filtering in Work profile Adguard? I still saw in Adguard saying HTTPS filtering is not enable and to install a cert. Any idea what is the next step?

terrytw commented 10 months ago

You will need to install 2 adguard, one for main profile one for work profile.

Lhn94 commented 10 months ago

Yeah, I meant the work Adguard is showing that HTTPS filtering is not working.

terrytw commented 10 months ago

For latest adguard, you need to make sure that the intermediate cert is still in user store while the other cert is in system store.

Lhn94 commented 10 months ago

Yes, they are in the right stores. But my work profile Adguard still doesn't pick up the certs for HTTPS filtering in VPN mode, and proxy mode simply block all connections =<

GodlikeRU commented 10 months ago

You have to be doing something wrong. I have it set in auto proxy mode (ROOT) and HTTPS filtering works on both profiles with certs moved to stores.

EDIT:: If you are using proxy root mode then only ONE AdGuard is required, on the main profile.

Lhn94 commented 5 months ago

Finally I've got Adguard to block ads on both profiles in Proxy (Root) Mode, but I'm running into a weird issue when Instagram and Twitter on my Work Profile simply don't load anything/ profiles. These apps work just fine in Main profile. The issue is only present when Adguard is On. Anyone got an idea on this?