英文:
Android 14 (UpsideDownCake) doesn't see certificate installed in /system/etc/security/cacert
问题
以下是翻译好的内容:
对于我们的Android模拟器自动化测试平台,我们能够使用以下经过尝试和测试的命令将Proxyman证书推送到/system/etc/security/cacerts
:
-
使用
-writable-system
标志启动模拟器:emulator -avd emulator_name -writable-system
-
准备Proxyman证书:
-
openssl x509 -inform PEM -subject_hash_old -in proxyman-ssl-proxying-certificate.pem | head -1
- 它返回证书的哈希值,例如30eb732c -
将其保存到文件中:
cat proxyman-ssl-proxying-certificate.pem > 30eb732c.0
-
openssl x509 -inform PEM -text -in proxyman-ssl-proxying-certificate.pem -out /dev/null >> 30eb732c.0
-
-
将创建的
30eb732c.0
推送到模拟器:adb root
adb remount
adb root
adb shell avbctl disable-verification
adb reboot
adb root
adb remount
adb push 30eb732c.0 /system/etc/security/cacerts
-
我可以通过列出所有证书来验证该文件是否存在,使用
adb shell ls /system/etc/security/cacert
,并在列表中看到我的证书。
通过这些步骤,我们能够在我们的应用程序发布版本上(最多到API 33)在Proxyman中查看流量,我可以在模拟器设置/安全性/加密和凭据/受信任的凭据中看到安装在系统分区上的证书。
使用相同的步骤对Android模拟器UpsideDownCake进行操作,我可以看到证书文件确实位于/system/etc/security/cacert
,但UI没有显示它,并且Proxyman也无法捕获流量(出现SSL握手失败
)。
安装证书的方法受到了以下链接的启发:
- https://stackoverflow.com/questions/58010655/is-adb-remount-broken-on-android-api-29
- https://issuetracker.google.com/issues/144891973?pli=1
- https://gist.github.com/pwlin/8a0d01e6428b7a96e2eb
- https://blog.ropnop.com/configuring-burp-suite-with-android-nougat
我觉得我可能遗漏了某些内容,但同时也在思考API 33和UpsideDownCake模拟器之间的区别。有人成功在Android 14(UpsideDownCake)模拟器上安装/system/etc/security/cacert
中的证书吗?
英文:
For our automated testing platform for Android emulator, we are able to push a Proxyman certificate to a /system/etc/security/cacerts
with the tried and tested commands:
-
Start emulator with
-writable-system
flag:emulator -avd emulator_name -writable-system
-
Prepare Proxyman certificate:
-
openssl x509 -inform PEM -subject_hash_old -in proxyman-ssl-proxying-certificate.pem | head -1
- it returns a hash for the cert, eg. 30eb732c -
save that to a file:
cat proxyman-ssl-proxying-certificate.pem > 30eb732c.0
-
openssl x509 -inform PEM -text -in proxyman-ssl-proxying-certificate.pem -out /dev/null >> 30eb732c.0
-
-
Push the created
30eb732c.0
to emulator:adb root
adb remount
adb root
adb shell avbctl disable-verification
adb reboot
adb root
adb remount
adb push 30eb732c.0 /system/etc/security/cacerts
-
I can verify that the file is there by listing all certs with
adb shell ls /system/etc/security/cacert
and seeing mine on the list.
With these, we are able to see the traffic in Proxyman on release builds of our apps, up to API 33, and I can see the certificate installed on system partition in the Emulator Settings/Security/Encryption & credentials/Trusted credentials.
With the same steps for Android Emulator UpsideDownCake, I can see that the cert file is indeed in /system/etc/security/cacert
, but the UI doesn't show it, and the traffic also fails to be captured by Proxyman (getting SSL Handshake Failed
).
The method for installing cert has been informed by many of these:
- https://stackoverflow.com/questions/58010655/is-adb-remount-broken-on-android-api-29
- https://issuetracker.google.com/issues/144891973?pli=1
- https://gist.github.com/pwlin/8a0d01e6428b7a96e2eb
- https://blog.ropnop.com/configuring-burp-suite-with-android-nougat
I feel like I might be missing something here, but also wondering what's the difference between API 33 and UpsideDownCake emulators. Has anyone been successful in installing a certificate in /system/etc/security/cacert
on Android 14 (UpsideDownCake) emulator?
答案1
得分: 2
Android 14现在从Conscrypt库的APEX文件系统/apex/com.android.conscrypt/cacerts
中读取CA证书。
因此,你可以在此位置绑定挂载一个替代目录,然后使用nsenter
将该挂载分别复制到每个应用程序的挂载命名空间和Zygote进程(启动未来的应用程序,以便新启动的应用程序默认复制此内容)。
关于此过程的完整步骤和背景情况相当复杂,但我已经记录下来并构建了一个完整的脚本来自动化这个过程,你可以在这里找到详细信息:https://httptoolkit.com/blog/android-14-install-system-ca-certificate/
你可以在HTTP Toolkit的这里查看用于自动化该过程的更改:https://github.com/httptoolkit/httptoolkit-server/commit/965fd8d9b287af0e4b305d828d5e8e1aa52dce36
英文:
Android 14 now reads CA certs from within the Conscrypt library's APEX filesystem, at /apex/com.android.conscrypt/cacerts
.
That's an awkward problem for use cases like this, because that path is impossible to directly modify or remount. You can try all you like, but APEX modules are loaded using different mechanisms to the rest of the filesystem, and in general if you make simple changes via an ADB shell, apps on the device won't see them - they use isolated mount namespaces, so they'll continue using their original set of mounts independently.
I've done some digging here though, and found some working solutions: you can bind mount an alternative directory into this location, and then use nsenter
to duplicate that mount individually into each app's mount namespace, and into the Zygote process (which starts future apps, so that newly launched apps copy this by default).
That's the essence of it. The full steps & background context are quite involved, but I've documented it and built a full script to automate this here: https://httptoolkit.com/blog/android-14-install-system-ca-certificate/
You can see the resulting changes to automate that process in HTTP Toolkit here: https://github.com/httptoolkit/httptoolkit-server/commit/965fd8d9b287af0e4b305d828d5e8e1aa52dce36
答案2
得分: 0
Android 14首先查找此位置:
/apex/com.android.conscrypt/cacerts
英文:
Android 14 looks in this location first:
/apex/com.android.conscrypt/cacerts
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论