search

ProxymanApp / Proxyman

Modern. Native. Delightful Web Debugging Proxy for macOS, iOS, and Android ⚡️
https://proxyman.io
5.51k stars 182 forks source link

export .0 cert file for rooted android devices #2121

Open andforce opened 2 weeks ago

andforce commented 2 weeks ago

Description

We would like to add a feature on Mac to “Export certificates in .0 format.”

The current process is somewhat complex. I have to first download the certificate in .pem format on my phone and then convert it to .0 format.

For reference on how to convert a .pem certificate to .0 format, please check: https://blog.csdn.net/haduwi/article/details/125696208

Why this feature/change is important?

I know that Proxyman currently offers a solution for exporting certificates in .pem format, but this process is a bit cumbersome. For rooted Android devices, there is actually a simpler way to capture network traffic:

After exporting the certificate in .pem format, you can use the following command:

openssl x509 -subject_hash_old -in CERT.pem

This command will get a filename at first line. Rename the file with a .0 extension.

Then, push the renamed file to the /system/etc/security/cacerts/ directory on the phone. This will allow you to capture network traffic easily without needing to configure res/xml/network_security_config.xml in your app.

NghiaTranUIT commented 2 weeks ago

You should use the Automatic Script for Android Emulator: https://docs.proxyman.io/debug-devices/android-device/automatic-script-for-android-emulator

It does everything you mentioned in 1-clicks

andforce commented 2 weeks ago

You should use the Automatic Script for Android Emulator: https://docs.proxyman.io/debug-devices/android-device/automatic-script-for-android-emulator

It does everything you mentioned in 1-clicks

The core issue is not that installing the certificate is complicated, but rather that after installing the certificate, you still need to configure res/xml/network_security_config.xml. This means you can’t capture traffic from apps developed by others because you can’t add a new network_security_config.xml to someone else’s app. However, if provide a certificate file in .0 format, we can capture traffic from all apps installed on the android phone, not just the ones we developed.

NghiaTranUIT commented 2 weeks ago

I understand it works with the rooted Android device

You can can export the PEM file in the Certificate menu -> Export and manually convert to 0. cert

NghiaTranUIT commented 2 weeks ago

May I ask @andforce. Does your approach (.0 cert) work with a normal Android Emulator (which is launched from Android Studio) ?

I'd like to get rid of this res/xml/network_security_config.xml

andforce commented 2 weeks ago

I understand it works with the rooted Android device

You can can export the PEM file in the Certificate menu -> Export and manually convert to 0. cert

I’m currently manually converting certificates into .0 format, which allows for perfect packet capture, but the process is a bit complex.

andforce commented 2 weeks ago

May I ask @andforce. Does your approach (.0 cert) work with a normal Android Emulator (which is launched from Android Studio) ?

I'd like to get rid of this res/xml/network_security_config.xml

Here’s a simple explanation of why a .0 certificate can bypass the need for res/xml/network_security_config.xml to capture traffic from all apps:

In the Android system, whether it’s an emulator or a physical device, system certificates are stored in /system/etc/security/cacerts/ :

emu64a:/system/etc/security/cacerts # ls
01419da9.0  1e8e7201.0  302904dd.0  3c899c73.0  5046c355.0  5fdd185d.0  76579174.0  86212b19.0  9339512a.0  
...
99e1b953.0  ab5346f4.0  b872f2b4.0  c491639e.0  d16a5865.0  d96b65e2.0  e48193cf.0  f0cd152c.0

These are system-type certificates trusted by the system. So, if we can find a way to place the .0 certificate file into this directory, it will be trusted by the system, allowing us to capture traffic from all apps.