Does this work with apps that do their own TLS using their own pinned certs? I don't see how it could. Surely that's a lot of high profile apps these days.
If this app works without root, it must be possible to apps on iPhone to add their own certificates to the system, which are then trusted by other applications - that would already be pretty alarming. I think Android still requires certificates to be manually imported by the user. Maybe this app points you to instructions on how to do this, but the description makes it sound very automatic.
On newer versions of android it can be hard to install a root cert and trust it; mitmproxy and httptoolkit both have some great guides though. On iOS its easier - but yeah unfortunately/fortunately certificate pinned applications wont work
Depending on how much time you are willing to put in you could create a list of apps that dont PIN and selectively MiTM apps that dont
Most apps now use certificate pinning, i.e. they have the root certificate included in the app and signed as part of the app, so that method won't work.
On Android it's much easier to intercept and modify the behavior of apps and tell the system to disregard signatures and things of the sort.
Maybe you live in an alternate reality, but in this reality most apps aren’t remotely sensitive enough to use cert pinning.
Also, since Android 7, even non-cert-pinned apps simply ignore user/admin-installed certificates; you can’t do anything without (1) rooting and injecting cert into root trust store; or (2) binary patching. Neither is easy, whereas installing a certificate as a profile on iOS is a trivial process.
Android apps could also do certificate pinning with the same effect though? In this case there isn't any difference between Android and iOS in functionality.
For Android you'll probably need root access (unless the app developer has opted in to loading your user-imported certificate authorities). For iOS this should be easier.
However, many apps apply cert pinning in production builds, which will require tools like Frida to disable them, which in turn requires root access/a jailbreak to function.
Alternatively, you could pull the apps from your phone without root (at least on Android), patch the most obvious cert pinning out (usually in the network manifest file) and install the new version.
No, this won't bypass certificate pinning, to do that you need to tamper the app or hook runtime calls using something like Xposed. There are modules [0] [1] that do this, support depends on the version of Android you're using.
This works as long as the app does not enforce certificate pinning. But if it does, there's no way to override it and inspect what's actually going on, as I can on my desktop.
This situation is the same on Android, presuming you do not have a rooted device. On Android >7 third-party apps do not trust user certificates by default, and a non-root user cannot install new system certificates. And afaik there is nothing stopping them from using custom crypto libraries that do not use the system roots at all. And of course, even if you could decrypt the HTTPS traffic the actual API payloads and endpoints need not be in any kind of human readable format.
I think android is - and has been - more heavy-handed than Apple here. Even when you could install and trust a new root CA, some apps can and would ignore this. Apps can use certificate pinning on both iOS and Android, but apps by default on Android just ignore user-added CAs by default on Android 7+, since 2016[1].
On iOS, the process of trusting a root CA is (rightfully) tricky, requiring you to install a profile and jump through some hoops with some scary warnings, but in my experience most apps will trust it unless they're using pinning.
iOS is even easier than Android to add system certificates and can be done without rooting or jailbreaking the device unlike android. cert pinning is done by the apps not the system.
Nice project. I considered doing something similar but in Android at least some apps use certificate pinning and thus mitmproxy would break them. How does this work in ios?
However, this is a good opportunity to point out that if you're building an iOS or Android app, you should not only use TLS for all your connections, but also pin your certificates and only confirm a connection after validating that certificate.
There aren't many good reasons why a mobile app should need to depend on the CA system for security. In fact, in a mobile setting, if you're willing to create a separate API endpoint for your app, you can replace the CA system entirely; just create your own CA, sign your own certs, and ship your app with your own root certificate.
That's great, thanks for the link! In recent Android versions it has become difficult to inspect the traffic precisely because certificates installed by users are no longer trusted, so one has to either root the phone or modify the apk.
Do you plan to automate app repackaging with the needed changes, or is there a better method for apps to trust local certificates?
If this app works without root, it must be possible to apps on iPhone to add their own certificates to the system, which are then trusted by other applications - that would already be pretty alarming. I think Android still requires certificates to be manually imported by the user. Maybe this app points you to instructions on how to do this, but the description makes it sound very automatic.
reply